将mysql转换为PDO语句
[英]convert mysql to PDO statement
问题描述
This is the login function written using MySQL way However, the problem exists when it convert into PDO way 
这是使用MySQL方式编写的登录功能,但是当转换为PDO方式时存在问题
MYSQL: MYSQL:
<?
function confirmUser($username, $password){
global $conn;
if(!get_magic_quotes_gpc()) {
$username = addslashes($username);
}
/* Verify that user is in database */
$q = "select UserID,UserPW from user where UserID = '$username'";
$result = mysql_query($q,$conn);
if(!$result || (mysql_numrows($result) < 1)){
return 1; //Indicates username failure
}
/* Retrieve password from result, strip slashes */
$dbarray = mysql_fetch_array($result);
$dbarray['UserPW'] = stripslashes($dbarray['UserPW']);
$password = stripslashes($password);
/* Validate that password is correct */
if($password == $dbarray['UserPW']){
return 0; //Success! Username and password confirmed
}
else{
return 2; //Indicates password failure
}
}
PDO: PDO:
<?
function confirmUser($username, $password){
global $conn;
include("connection/conn.php");
$sql = '
SELECT COALESCE(id,0) is_row
FROM user
WHERE UserID = ?
LIMIT 1
';
$stmt = $conn->prepare($sql);
$stmt->execute(array('09185346d'));
$row = $stmt->fetch();
if ($row[0] > 0) {
$sql = '
SELECT COALESCE(id,1) is_row
FROM user
WHERE UserPW = ?
LIMIT 1
';
$stmt = $conn->prepare($sql);
$stmt->execute(array('asdasdsa'));
$row = $stmt->fetch();
if ($row[0] > 0)
return 2;
else
return 0;
}
elseif ($row[0] = 0)
{return 1;}
}
What is the problem ?? 问题是什么 ?? And is it necessary to include bind parameter in PDO??? 并且有必要在PDO中包含bind参数吗??? THANKS 谢谢
1 个解决方案
解决方案1
1 已采纳 2012-02-03 09:50:25
Aside from your use of global and your include inside the function (you should investigate an alternative way of structuring your function not to do this), I would change the code as follows: 除了对global的使用以及函数中的include之外(您应该研究构造函数的另一种方法,不要这样做),我将代码更改如下:
$sql =
'SELECT id
FROM user
WHERE UserID = ?
AND UserPW = ?
LIMIT 1';
$stmt = $conn->prepare($sql);
$stmt->execute(array(
'09185346d',
'asdasdsa'
));
if ($stmt->rowCount() == 1) {
return 0;
}
else {
return 1;
}
Combing the queries to give a general Authentication error, instead of allowing people to trial valid usernames, and then valid passwords, and then using PDOStatements rowCount method do see if your row was returned. 组合查询以给出一般的身份验证错误,而不是让人们先试用有效的用户名,有效密码,再使用PDOStatements rowCount方法来查看是否返回了行。
To answer your second part, it is not necessary to specifically use bindParam to prevent SQL injection. 为了回答您的第二部分,没有必要专门使用bindParam来防止SQL注入。
Here's a quick example of the difference between bindParam and bindValue 这是bindParam和bindValue之间的区别的简单示例
$param = 1;
$sql = 'SELECT id FROM myTable WHERE myValue = :param';
$stmt = $conn->prepare($sql);
Using bindParam 使用bindParam
$stmt->bindParam(':param', $param);
$param = 2;
$stmt->execute();
SELECT id FROM myTable WHERE myValue = '2' 在myTable的SELECT ID中,myValue = '2'
Using bindValue 使用bindValue
$stmt->bindValue(':param', $param);
$param = 2;
$stmt->execute();
SELECT id FROM myTable WHERE myValue = '1' 在myTable的SELECT ID中,myValue = '1'
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.