stackoom
  简体   繁体   中英

MYSQLI/PDO: How to convert MySQLi to PDO in login form

 原文  2019-08-13 03:48:59       php/ mysqli/ pdo

Question

I currently developed the login form with MySQLi. Since PDO is more secure than I would like to convert to PDO. Below is PHP MySQLi code at login form. For config.php, I already change to PDO.

                <?php
            include("config/config.php");
            session_start();

            if($_SERVER["REQUEST_METHOD"] == "POST") {

            $Email = mysqli_real_escape_string($link,$_POST['Email']);
            $Pwd = mysqli_real_escape_string($link,$_POST['Pwd']); 

            $Pwd = md5($Pwd); 
            $sql = "SELECT staff.Email,staff.Role_ID FROM staff WHERE Email = '$Email' AND Pwd ='$Pwd'"; 
            $result = mysqli_query($link,$sql);
            $row = mysqli_fetch_array($result,MYSQLI_ASSOC);
            $count = mysqli_num_rows($result);

            if($count == 1) {

                $_SESSION['login_user'] = $Email;

                if($row["Role_ID"] == "2"){ 
                    header("location: pages/dashboard/dashboard_admin.php");
                }else if ($row["Role_ID"] == "1"){ 
                    header("location: pages/dashboard/dashboard_super_admin.php");
                }
            }else {
                $error = "Your Login Name or Password is invalid";
                }
            }

            ?>

Can anyone know how to solve? Much thanks

1 answers

solution1
 3 ACCPTED  2019-08-13 04:52:42

There is no point in converting anything. Just write the PDO version right away.

A login form handler is just a regular query, nothing special. If you know how to run a query using PDO, then you know how to login.

What is much more important, is that you have to follow best practices in the security, namely reliable password hashing and using prepared statements.

For a beginner it is not too easy to put everything together the right way (espeslcially given there are a lot of sites specialized in bad examples such as w3schools), so I wrote a simplified canonical example for the task, login code using PDO

$stmt = $pdo->prepare("SELECT * FROM staff WHERE Email = ?");
$stmt->execute([$_POST['Email']]);
$row = $stmt->fetch();

if ($row && password_verify($_POST['Pwd'], $row['Pwd']))
{
    $_SESSION['login_user'] = $Email;
    if($row["Role_ID"] == "2"){ 
         header("location: pages/dashboard/dashboard_admin.php");
    }else if ($row["Role_ID"] == "1"){ 
         header("location: pages/dashboard/dashboard_super_admin.php");
    }
} else {
    $error = "Your Login Name or Password is invalid";
}

Note #1. PDO is not "more secure" than mysqli. It is not a driver that matters but whether you are using prepared statements or not. Both drivers have support for them but PDO prepared statements are much easier to use.

Note #2. Given there are a lot of bad examples for PDO connection as well, here is my canonical example for the task . Although it's for MySQL but you have to follow the routine, only changing the DSN part for MS SQL.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to convert PDO to mysqli? How to convert mysqli code to PDO stmt? How can I convert this mysqli to PDO? How do I convert this PDO code to MySQLi? How to convert MySQLi connector to PHP PDO How to convert mysqli_query to PDO? Convert current PDO Function to MYSQLI Convert mysqli to pdo prepared statement Convert signup form to PDO from MySQLI, getting a DATABASE error mysqli/PDO information: from mysqli to pdo-> how to handle error
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM