I am writing a php login form and I would like to use PDO for db connection and writing my queries. Actually I am very new with PDO statements but in order to avoid sql injection, I would prefer to use it. I appreciate if someone could kindly help me to rewrite my query with PDO?
This is my code:
$qry="SELECT * FROM member WHERE username='$username' AND password='$password'";
$result=mysql_query($qry);
//Check whether the query was successful or not
if($result) {
if(mysql_num_rows($result) > 0) {
//Login Successful
session_regenerate_id();
$member = mysql_fetch_assoc($result);
$_SESSION['SESS_MEMBER_ID'] = $member['mem_id'];
$_SESSION['SESS_FIRST_NAME'] = $member['username'];
$_SESSION['SESS_LAST_NAME'] = $member['password'];
session_write_close();
header("location: home.php");
exit();
}else {
//Login failed
$errmsg_arr[] = 'user name and password not found';
$errflag = true;
if($errflag) {
$_SESSION['ERRMSG_ARR'] = $errmsg_arr;
session_write_close();
header("location: index.php");
exit();
}
}
}else {
die("Query failed");
}
I tried
$stmt = $conn->prepare("SELECT * FROM member WHERE username = :username and password = :password");`
and
$stmt->execute(array(':username' => $username, ':password' => $password));`
but I don't know how I can rewrite the part related to "check if query was successful"
You could just use rowCount()
in this case to check:
$stmt = $conn->prepare("SELECT * FROM member WHERE username = :username and password = :password");
$stmt->execute(array(':username'=>$username,':password'=>$password));
if($stmt->rowCount() > 0) {
// then select row has round rows
$member = $stmt->fetch(PDO::FETCH_ASSOC);
session_regenerate_id();
$_SESSION['SESS_MEMBER_ID'] = $member['mem_id'];
$_SESSION['SESS_FIRST_NAME'] = $member['username'];
$_SESSION['SESS_LAST_NAME'] = $member['password'];
session_write_close();
header("location: home.php");
exit();
}
Try -
$stmt = $conn->prepare("SELECT * FROM member WHERE username = :username and password = :password");
$stmt->bindValue(':username', $username);
$stmt->bindValue(':password', $password);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_OBJ);
if (!empty($result)) {
# Login Successful
$_SESSION['SESS_MEMBER_ID'] = $result->mem_id;
$_SESSION['SESS_FIRST_NAME'] = $result->username;
$_SESSION['SESS_LAST_NAME'] = $result->password;
header("location: home.php");
} else {
# Login failed
$errmsg_arr[] = 'user name and password not found';
$errflag = true;
if($errflag) {
$_SESSION['ERRMSG_ARR'] = $errmsg_arr;
header("location: index.php");
}
}
Note that for Insert, Update, Delete etc you can use $count = $stmt->rowCount();
followed by if ($count > 0)
but as of yet it doesn't perform reliably with SELECT
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.