stackoom
  简体   繁体   中英

convert mysql to PDO statement

 原文  2012-02-03 09:30:47       php/ mysql/ pdo

Question

This is the login function written using MySQL way However, the problem exists when it convert into PDO way

MYSQL: 

    <?
function confirmUser($username, $password){
   global $conn;
   if(!get_magic_quotes_gpc()) {
    $username = addslashes($username);
   }

   /* Verify that user is in database */
   $q = "select UserID,UserPW from user where UserID  = '$username'";
   $result = mysql_query($q,$conn);
   if(!$result || (mysql_numrows($result) < 1)){
      return 1; //Indicates username failure
   }

   /* Retrieve password from result, strip slashes */
   $dbarray = mysql_fetch_array($result);
   $dbarray['UserPW']  = stripslashes($dbarray['UserPW']);
   $password = stripslashes($password);

   /* Validate that password is correct */
   if($password == $dbarray['UserPW']){
      return 0; //Success! Username and password confirmed
   }
   else{
      return 2; //Indicates password failure
   }
}

PDO: 

<?
function confirmUser($username, $password){
   global $conn;

   include("connection/conn.php");

   $sql = '
    SELECT   COALESCE(id,0) is_row
    FROM     user
    WHERE    UserID = ?
    LIMIT 1
';

$stmt = $conn->prepare($sql);
$stmt->execute(array('09185346d'));
$row = $stmt->fetch();

if ($row[0] > 0) {
       $sql = '
    SELECT   COALESCE(id,1) is_row
    FROM     user
    WHERE    UserPW = ?
    LIMIT 1
';
$stmt = $conn->prepare($sql);
$stmt->execute(array('asdasdsa'));
$row = $stmt->fetch();
    if ($row[0] > 0) 
    return 2;
    else
    return 0;
}
elseif ($row[0] = 0)
{return 1;}   



}

What is the problem ?? And is it necessary to include bind parameter in PDO??? THANKS

1 answers

solution1
 1 ACCPTED  2012-02-03 09:50:25

Aside from your use of global and your include inside the function (you should investigate an alternative way of structuring your function not to do this), I would change the code as follows: 

$sql =
    'SELECT  id
    FROM     user
    WHERE    UserID = ?
    AND      UserPW = ?
    LIMIT 1';

$stmt = $conn->prepare($sql);
$stmt->execute(array(
    '09185346d',
    'asdasdsa'
));

if ($stmt->rowCount() == 1) {
    return 0;
}
else {
    return 1;
}

Combing the queries to give a general Authentication error, instead of allowing people to trial valid usernames, and then valid passwords, and then using PDOStatements rowCount method do see if your row was returned.

To answer your second part, it is not necessary to specifically use bindParam to prevent SQL injection.

Here's a quick example of the difference between bindParam and bindValue 

$param = 1;

$sql = 'SELECT id FROM myTable WHERE myValue = :param';
$stmt = $conn->prepare($sql);

Using bindParam 

$stmt->bindParam(':param', $param);
$param = 2;
$stmt->execute();

SELECT id FROM myTable WHERE myValue = '2'

Using bindValue 

$stmt->bindValue(':param', $param);
$param = 2;
$stmt->execute();

SELECT id FROM myTable WHERE myValue = '1'

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Convert a MYSQL* query into a PDO ready statement with placeholders trying to convert mysql select statement to PDO How to convert MySQL code into PDO statement? Convert into secure PDO statement? How can I convert this working mysql statement to PDO effectively? Mysql PDO statement with OR in SELECT convert mysql to pdo How to Convert mySQL to PDO Convert mysql functions to pdo Convert mysql_* to PDO
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM