[英]I have a problem with mysql and php
I have a problem, this is my code: 我有一个问题,这是我的代码:
$db = new mysqli("localhost", "root", "", "blah");
$result1 = $db->query("select * from c_register where email = '$eml' and password = '$pass'");
if($result1->fetch_array())
{
$auth->createSession();
$_SESSION['user'] = 'client';
promptUser("You have successfully logged in!!!","index.php");
}
$db = new mysqli("localhost", "root", "", "blah");
$result2 = $db->query("select * from b_register where email = '$eml' and password = '$pass'");
if($result2->fetch_array())
{
$auth->createSession();
$_SESSION['user'] = 'business';
promptUser("You have successfully logged in!!!","index.php");
}
$db = new mysqli("localhost", "root", "", "blah");
$result3 = $db->query("select * from g_register where email = '$eml' and password = '$pass'");
if($result3->fetch_array())
{
$auth->createSession();
$_SESSION['user'] = 'employee';
promptUser("You have successfully logged in!!!","index.php");
}
$db = new mysqli("localhost", "root", "", "blah");
$result4 = $db->query("select * from k_register where email = '$eml' and password = '$pass'");
if($result4->fetch_array())
{
$auth->createSession();
$_SESSION['user'] = 'super';
promptUser("You have successfully logged in!!!","index.php");
}
else
{
promptUser("Username/Password do not match. Please try again!!!","");
}
Funny enough this code works, but I no that I went about it the wrong way. 有趣的是,此代码有效,但我不以错误的方式进行操作。 I am new with php and mysql, so please help.
我是php和mysql的新手,所以请帮忙。 I also tried eg
result4->free();
我也尝试过例如
result4->free();
for all the variable that save the data, and I got this error: Fatal error: Call to a member function free() on a non-object in... 对于所有保存数据的变量,我得到此错误: 致命错误:在...中的非对象上调用成员函数free()
Don't repeat yourself. 不要重复自己。 You already made your mysqli object, so reuse it.
您已经创建了mysqli对象,因此可以重用它。 For example:
例如:
$db = new mysqli("localhost", "root", "", "blah");
$result1 = $db->query("select * from c_register...");
$result2 = $db->query("select * from d_register...");
$result3 = $db->query("select * from e_register...");
This will make your code more legible, and easier to modify later. 这将使您的代码更易读,并且以后更容易修改。
mysqli::query() returns a result object only after a successful query. mysqli :: query()仅在成功查询后才返回结果对象。
You need to build in a check: 您需要进行检查:
if(($result1 != false) and ($result1->fetch_array())) // The same for 2,3,4...
you should get the error message using 您应该使用以下错误消息
echo $db->error;
From PHP Manual: mysqli::query returns TRUE on success or FALSE on failure. 从PHP手册开始:mysqli :: query成功返回TRUE,失败返回FALSE。 For SELECT, SHOW, DESCRIBE or EXPLAIN mysqli_query() will return a result object.
对于SELECT,SHOW,DESCRIBE或EXPLAIN,mysqli_query()将返回结果对象。
So you should test it: 因此,您应该对其进行测试:
if ($result != false) {
...
} else {
// print error or whatever
}
Btw. 顺便说一句。 it is
VERY DANGEROUS not to
escape variables like
$eml
and $pass
- if a user type as $pass
something like: bleh' OR 1 = 1 OR password = 'bleh
, then the whole query will look like: 非常危险,不要
转义
$eml
和$pass
类的变量-如果用户类型为$pass
东西: bleh' OR 1 = 1 OR password = 'bleh
,则整个查询将类似于:
select * from b_register where email = 'some@email.com' and password = 'bleh' OR 1 = 1 OR password = 'bleh'
and the user will get logged without knowing the password! 用户将在不知道密码的情况下登录!
Therefore you should use: 因此,您应该使用:
mysql_real_escape_string($eml)and the same for
$pass
.
$pass
。
Or even better: use statement preparing and parameters binding - see: http://pl2.php.net/manual/en/mysqli.prepare.php
甚至更好:使用语句准备和参数绑定 -参见: http : //pl2.php.net/manual/en/mysqli.prepare.php
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.