stackoom
  简体   繁体   中英

What's wrong with this MySQL query? (using PDO)

 原文  2013-12-16 23:20:36       php/ mysql/ pdo

Question

This is my first time trying to use Named Placeholders so I'm sure I have a syntax error somewhere... I just don't see it. I am following the directions I found here . I am expecting the array, $authResults , to contain the row that has $user's information if the password matches $pass.

If my query is simply SELECT * FROM user it works. Obviously, that won't work in a production environment. :-)

Here's what I have so far: 

$user= "Test";
$pass= "ba6c064dfdb1b7b4938bf82585a8332c89270303b6d75007f0b25feffe33b90bd34d3732acf4be708c85708c39ff6c28b87235663238b8fbfe2c4439258cc883";

$db = new PDO('mysql:host=localhost;dbname=test;charset=utf8', 'admin', 'pass');
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

//query database to see if username/password match up
$authQuery = $db->prepare("SELECT * FROM user WHERE username=:usr AND password=:pwd");  // search for username and password
$authQuery->bindValue(':usr', $user, PDO::PARAM_STR);
$authQuery->bindValue(':pwd', $pass, PDO::PARAM_STR);
$authQuery->execute();
$authResults = $authQuery->fetchAll(PDO::FETCH_ASSOC);


echo "<br><br>authResults:<pre>";
print_r($authResults);
echo "</pre>";

Thoughts?

Here's the output that's echoed at the end of my file: 

authResults:
Array
(
)

There are no error messages. Is there a character limit for PHP variables or for MySQL queries?

2 answers

solution1
 1  2013-12-16 23:52:01

That simply means that your query hasn't matched anything. Be careful on how your user/pass are stored in your table.

solution2
 1  2013-12-17 00:50:45

To answer your question you asked about how would you go about this: 

// simple database structure
CREATE TABLE usrpwdkeys(
  usr TINYBLOB NOT NULL,
  pwd TINYBLOB NOT NULL
)ENGINE=INNODB;
INSERT usrpwdkeys VALUES ('C@x9H7^nb*','a_MF8B2&bx');
CREATE TABLE usrpwd(
  pk BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
  usr BLOB NOT NULL,
  pwd BLOB NOT NULL
)ENGINE=INNODB;

// put your database connection on a secure page - restricted/connect.php
<?php
function db(){
  return new mysqli('host', 'username', 'password', 'database');
}

// putting the results into the database - newuser.php
<?php
$error = '';
if(isset($_POST['sub']) && !empty($_POST['user']) && !empty($_POST['pass'])){
  include_once 'restricted/connect.php'; $db = db();
  if($db->connect_error)die('connection failed');
  $upk = $db->query('SELECT * FROM usrpwdkeys'); $kys = $upk->fetch_row();
  $upk->free(); $usr = $db->real_escape_string(trim($_POST['user']));
  $pwd = sha1(md5($usr).$db->real_escape_string(trim($_POST['pass'])).'a5cJ');
  $uxs = $db->query("SELECT pk FROM usrpwd WHERE usr=AES_ENCRYPT('$usr','$upk[0]')");
  if($uxs->num_rows > 0){
    $error = 'Username in Use'; // error on password shows too much
  }
  elseif($db->query("INSERT usrpwd (usr,pwd) VALUES (AES_ENCRYPT('$usr','$upk[0]'), AES_ENCRYPT('$pwd','$upk[1]'))")){
    header('LOCATION:wherever.php'); // goes to other page
  }
  else{
    die('problem');
  }
  $uxs->free(); $db->close();
}
// Should be much more complex than just this - HTML structure should be below

// simple login - login.php
session_start(); $error = '';
if(isset($_POST['sub']) && !empty($_POST['user']) && !empty($_POST['pass'])){
  include_once 'restricted/connect.php'; $db = db();
  if($db->connect_error)die('connection failed');
  $upk = $db->query('SELECT * FROM usrpwdkeys'); $kys = $upk->fetch_row();
  $upk->free(); $usr = $db->real_escape_string(trim($_POST['user']));
  $pwd = sha1(md5($usr).$db->real_escape_string(trim($_POST['pass'])).'a5cJ');
  $log = $db->query("SELECT pk FROM usrpwd WHERE usr=AES_ENCRYPT('$usr','$upk[0]') && pwd=AES_ENCRYPT('$pwd','$upk[1]')");
  if($log->num_rows > 0){
    $_SESSION['log'] = 'Ao@8a!45'; $_SESSION['usr'] = $usr;
    header('LOCATION:wherever.php'); // goes to other page that should retest against database
  }
  else{
    $error = 'Invalid Password and/or Username';
  }
  $log->free(); $db->close();
}
// once again should be way more complex

Naturally, you would probably want to use regular expressions for the username and password. The library PHPglue can take care of most, if not all of your Stick Form Regular Expression Error Handling.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question mysql to PDO what is wrong with this query? PDO:: What's wrong with this query? What's wrong with my PDO/MySQL syntax? PDO and PHP/MySQL: what is the heck is wrong with PDO's prepared statements? What is wrong with this PDO query? What's wrong with this MySQL query? What's wrong with my pdo mysql prepared statement? what's wrong in this PDO script what's wrong with this single PDO? What's the difference between a little complex MySQL standard query and how it should be using PDO?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM