[英]Convert a MYSQL* query into a PDO ready statement with placeholders
[英]convert mysql to PDO statement
这是使用MySQL方式编写的登录功能,但是当转换为PDO方式时存在问题
MYSQL:
<?
function confirmUser($username, $password){
global $conn;
if(!get_magic_quotes_gpc()) {
$username = addslashes($username);
}
/* Verify that user is in database */
$q = "select UserID,UserPW from user where UserID = '$username'";
$result = mysql_query($q,$conn);
if(!$result || (mysql_numrows($result) < 1)){
return 1; //Indicates username failure
}
/* Retrieve password from result, strip slashes */
$dbarray = mysql_fetch_array($result);
$dbarray['UserPW'] = stripslashes($dbarray['UserPW']);
$password = stripslashes($password);
/* Validate that password is correct */
if($password == $dbarray['UserPW']){
return 0; //Success! Username and password confirmed
}
else{
return 2; //Indicates password failure
}
}
PDO:
<?
function confirmUser($username, $password){
global $conn;
include("connection/conn.php");
$sql = '
SELECT COALESCE(id,0) is_row
FROM user
WHERE UserID = ?
LIMIT 1
';
$stmt = $conn->prepare($sql);
$stmt->execute(array('09185346d'));
$row = $stmt->fetch();
if ($row[0] > 0) {
$sql = '
SELECT COALESCE(id,1) is_row
FROM user
WHERE UserPW = ?
LIMIT 1
';
$stmt = $conn->prepare($sql);
$stmt->execute(array('asdasdsa'));
$row = $stmt->fetch();
if ($row[0] > 0)
return 2;
else
return 0;
}
elseif ($row[0] = 0)
{return 1;}
}
问题是什么 ?? 并且有必要在PDO中包含bind参数吗??? 谢谢
除了对global
的使用以及函数中的include
之外(您应该研究构造函数的另一种方法,不要这样做),我将代码更改如下:
$sql =
'SELECT id
FROM user
WHERE UserID = ?
AND UserPW = ?
LIMIT 1';
$stmt = $conn->prepare($sql);
$stmt->execute(array(
'09185346d',
'asdasdsa'
));
if ($stmt->rowCount() == 1) {
return 0;
}
else {
return 1;
}
组合查询以给出一般的身份验证错误,而不是让人们先试用有效的用户名,有效密码,再使用PDOStatements rowCount
方法来查看是否返回了行。
为了回答您的第二部分,没有必要专门使用bindParam
来防止SQL注入。
这是bindParam
和bindValue
之间的区别的简单示例
$param = 1;
$sql = 'SELECT id FROM myTable WHERE myValue = :param';
$stmt = $conn->prepare($sql);
使用bindParam
$stmt->bindParam(':param', $param);
$param = 2;
$stmt->execute();
在myTable的SELECT ID中,myValue = '2'
使用bindValue
$stmt->bindValue(':param', $param);
$param = 2;
$stmt->execute();
在myTable的SELECT ID中,myValue = '1'
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.