[英]convert mysql to PDO statement
This is the login function written using MySQL way However, the problem exists when it convert into PDO way 这是使用MySQL方式编写的登录功能,但是当转换为PDO方式时存在问题
MYSQL: MYSQL:
<?
function confirmUser($username, $password){
global $conn;
if(!get_magic_quotes_gpc()) {
$username = addslashes($username);
}
/* Verify that user is in database */
$q = "select UserID,UserPW from user where UserID = '$username'";
$result = mysql_query($q,$conn);
if(!$result || (mysql_numrows($result) < 1)){
return 1; //Indicates username failure
}
/* Retrieve password from result, strip slashes */
$dbarray = mysql_fetch_array($result);
$dbarray['UserPW'] = stripslashes($dbarray['UserPW']);
$password = stripslashes($password);
/* Validate that password is correct */
if($password == $dbarray['UserPW']){
return 0; //Success! Username and password confirmed
}
else{
return 2; //Indicates password failure
}
}
PDO: PDO:
<?
function confirmUser($username, $password){
global $conn;
include("connection/conn.php");
$sql = '
SELECT COALESCE(id,0) is_row
FROM user
WHERE UserID = ?
LIMIT 1
';
$stmt = $conn->prepare($sql);
$stmt->execute(array('09185346d'));
$row = $stmt->fetch();
if ($row[0] > 0) {
$sql = '
SELECT COALESCE(id,1) is_row
FROM user
WHERE UserPW = ?
LIMIT 1
';
$stmt = $conn->prepare($sql);
$stmt->execute(array('asdasdsa'));
$row = $stmt->fetch();
if ($row[0] > 0)
return 2;
else
return 0;
}
elseif ($row[0] = 0)
{return 1;}
}
What is the problem ?? 问题是什么 ?? And is it necessary to include bind parameter in PDO??? 并且有必要在PDO中包含bind参数吗??? THANKS 谢谢
Aside from your use of global
and your include
inside the function (you should investigate an alternative way of structuring your function not to do this), I would change the code as follows: 除了对global
的使用以及函数中的include
之外(您应该研究构造函数的另一种方法,不要这样做),我将代码更改如下:
$sql =
'SELECT id
FROM user
WHERE UserID = ?
AND UserPW = ?
LIMIT 1';
$stmt = $conn->prepare($sql);
$stmt->execute(array(
'09185346d',
'asdasdsa'
));
if ($stmt->rowCount() == 1) {
return 0;
}
else {
return 1;
}
Combing the queries to give a general Authentication error, instead of allowing people to trial valid usernames, and then valid passwords, and then using PDOStatements rowCount
method do see if your row was returned. 组合查询以给出一般的身份验证错误,而不是让人们先试用有效的用户名,有效密码,再使用PDOStatements rowCount
方法来查看是否返回了行。
To answer your second part, it is not necessary to specifically use bindParam
to prevent SQL injection. 为了回答您的第二部分,没有必要专门使用bindParam
来防止SQL注入。
Here's a quick example of the difference between bindParam
and bindValue
这是bindParam
和bindValue
之间的区别的简单示例
$param = 1;
$sql = 'SELECT id FROM myTable WHERE myValue = :param';
$stmt = $conn->prepare($sql);
Using bindParam
使用bindParam
$stmt->bindParam(':param', $param);
$param = 2;
$stmt->execute();
SELECT id FROM myTable WHERE myValue = '2' 在myTable的SELECT ID中,myValue = '2'
Using bindValue
使用bindValue
$stmt->bindValue(':param', $param);
$param = 2;
$stmt->execute();
SELECT id FROM myTable WHERE myValue = '1' 在myTable的SELECT ID中,myValue = '1'
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.