Updated...
I am writing prepared statements and I´m getting this error message:
Notice: Undefined index: username in C:\\Program Files (x86)\\EasyPHP-12.1\\www\\inlogg_och_lagar\\core.inc.php on line 34
Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1' in C:\\Program Files (x86)\\EasyPHP-12.1\\www\\inlogg_och_lagar\\core.inc.php:34 Stack trace: #0 C:\\Program Files (x86)\\EasyPHP-12.1\\www\\inlogg_och_lagar\\core.inc.php(34): PDOStatement->execute(Array) #1 C:\\Program Files (x86)\\EasyPHP-12.1\\www\\inlogg_och_lagar\\index.php(23): getuserrow('username') #2 {main} thrown in C:\\Program Files (x86)\\EasyPHP-12.1\\www\\inlogg_och_lagar\\core.inc.php on line 34
Can someone tell me what I am doing wrong? It´sa simple login script.
Here is the loginform.inc.php
<?php
if (isset($_POST['username'])&&isset($_POST['password'])) {
$username = $_POST['username'] ;
$password = $_POST['password'] ;
$password_hash = md5 ($password);
if ($username && $password)
{
$query ="SELECT * FROM USERDATA where `username` = :username AND `password` = :password";
$stmt = $pdo->prepare($query);
$stmt->execute(array(
':username' => $_POST['username'],
':password' => $password_hash
));
$row = (bool) $stmt->fetch();
if (!$rows)
{
echo '<p class="warning">Fel användarnamn/lösenords kombination.</p>';
} else {
$_SESSION['user_id'] = $row;
header('Location: index.php');
exit;
}
} else {
echo '<p class="warning">Du måste fylla i ett användarnamn och lösenord</p>';
}
}
?>
<!--- LOGIN FORM --->
<div id="form-column">
<p>You need to be loggedin.</p>
<p>Fill out username and password.</p>
<form action="<?php echo $current_file; ?>" method="POST">
Användarnamn: <input type="text" name="username">
Lösenord: <input type="password" name="password">
<input type="submit" value="Log in">
</form>
</div>
Here is the core.inc.php
<?php
ob_start();
session_start();
$current_file = $_SERVER['SCRIPT_NAME'];
if (isset($_SERVER['HTTP_REFERER'])&&!empty($_SERVER['HTTP_REFERER'])) {
$http_referer = $_SERVER['HTTP_REFERER'];
}
function loggedin () {
if (isset($_SESSION['user_id'])&&!empty($_SESSION['user_id'])) {
return true;
} else {
return false;
}
}
function getuserrow ($row) {
$sql ="SELECT * FROM USERDATA where id = ?".$_SESSION['user_id']."'";
global $pdo;
$stmt = $pdo->prepare($sql);
$stmt->execute(array($_POST['username']));
$row = $stmt->fetch();
}
?>
And here is the connect.inc.php
<?php
$dsn = "mysql:host=localhost;dbname=users;charset=utf8";
$opt = array(
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC
);
$pdo = new PDO($dsn,'root','', $opt);
?>
Your PDO object is defined as $pdo
, but later referenced as $dbh
:
From connect.inc.php
:
$pdo = new PDO($dsn,'root','', $opt);
From loginform.inc.php
:
global $dbh; // ... $stmt = $dbh->prepare($sql);
Furthermore, loginform.inc.php
does not appear to include connect.inc.php
.
You are missing second parameter at $stmt->execute(array($_POST['username']))
it should be
$sql ="SELECT * FROM USERDATA where username = ? AND password = ?";
$stmt = $pdo->prepare($sql);
$stmt->execute(array($_POST['username'], md5($_POST['password'])));//<== here
Replace this,
global $pdo; // <- You don't need this one
$sql ="SELECT * FROM USERDATA where username = ? AND password = ?";
$stmt = $pdo->prepare($sql);
$stmt->execute(array($_POST['username']));
$row = $stmt->fetch();
with
$query ="SELECT * FROM USERDATA where `username` = :username AND `password` = :password";
$stmt = $pdo->prepare($query);
$stmt->execute(array(
':username' => $_POST['username'],
':password' => $password_hash
));
$row = (bool) $stmt->fetch();
In order to avoid situations like this one, you'd better stick with named placeholders instead of unnamed ones (like ?
).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.