Updating msql methods with PDO
Question
I used to use PHP quite a lot some years ago, and have recently decided to update my skills and I am trying to build a forum website, I am specifically having problems using the new PDO method of inserting data gathered from a user back into the table. The code I had using the old mysql methods (which I understand were depracated as of version 5.5 of PHP) is
$sql = "INSERT INTO
users(user_name, user_pass, user_email ,user_date, user_level)
VALUES('" . mysql_real_escape_string($_POST['user_name']) . "',
'" . sha1($_POST['user_pass']) . "',
'" . mysql_real_escape_string($_POST['user_email']) . "',
NOW(),
0)";
$result = mysql_query($sql);
if(!$result)
{
//something went wrong, display the error
echo 'Something went wrong while registering. Please try again later.';
//echo mysql_error(); //debugging purposes, uncomment when needed
}
else
{
echo 'Successfully registered. You can now <a href="signin.php">sign in</a> and start posting! :-)';
}
}
}
Looking up the equivalent PDO method I get this code
<?php
$stmt = $db->prepare("INSERT INTO table(field1,field2,field3,field4,field5) VALUES(:field1,:field2,:field3,:field4,:field5)");
$stmt->execute(array(':field1' => $field1, ':field2' => $field2, ':field3' => $field3, ':field4' => $field4, ':field5' => $field5));
$affected_rows = $stmt->rowCount();
And so putting the two together I get this (or at least I think I do)
$stmt = $db - > prepare("INSERT INTO users(user_name, user_pass, user_email, user_date, user_level)
VALUES('" . ($_POST['user_name ']) . "','" . sha1($_POST['user_pass ']) . "','" . ($_POST['user_email ']) . "',NOW(),0)");
$stmt - > execute(array(':user_name' => $user_name, ':user_pass' => $user_pass, ':user_email' => $user_email, ':user_date' => $user_date, ':user_level' => $user_level));
//$affected_rows = $stmt->rowCount();
if (!$result) {
//something went wrong, display the error
echo 'Something went wrong while registering. Please try again later.';
//echo mysql_error(); //debugging purposes, uncomment when needed
} else {
echo 'Successfully registered. You can now <a href="signin.php">sign in</a> and start posting! :-)';
}
However when I run it, I get a series of 'Undefined variable' errors for each field that I try to update
My hosting provider does allow me to run the old code with a now unsupported PHP version but I believe this to be unsafe and vulnerable to SQL injection, so as part of the (re)learning experience I thought I would try and figure out the new way of doing things.
Any help is greatly appreciated.
1 answers
solution1
2 ACCPTED 2018-03-03 11:35:50
You're trying to apply prepared statements but doing it the wrong way this is what you need to have:
$user_name = $_POST['user_name'];
$user_pass = password_hash($_POST['user_pass'], PASSWORD_BCRYPT);
$user_email = $_POST['user_email'];
$user_date = time();
$user_level = 0;
$stmt = $db->prepare("INSERT INTO
users(user_name, user_pass, user_email ,user_date, user_level)
VALUES(:user_name, :user_pass, :user_email, :user_date, :user_level)");
$stmt->execute(array(':user_name' => $user_name, ':user_pass' => $user_pass, ':user_email' => $user_email, ':user_date' => $user_date, ':user_level' => $user_level));
//$affected_rows = $stmt->rowCount();
if(!$result)
{
//something went wrong, display the error
echo 'Something went wrong while registering. Please try again later.';
//echo mysql_error(); //debugging purposes, uncomment when needed
}
else
{
echo 'Successfully registered. You can now <a href="signin.php">sign in</a> and start posting! :-)';
}
The execute statement binds each key in the array with the corresponding placeholder in the query. You might also want to do some research on the password hash function
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.