PHP的日志形式的MySQL和引導風格給錯誤

Question

我正在從任何會話進行簡單登錄，這是我的PHP代碼：

<?php

  $mysqli = new mysqli( 'localhost', 'cshrnaf_user2', '=cXlIBsdMkdr', 'cshrnaf_mis_db' );

if (isset($_POST['Username'])) {
        $sql = "SELECT * FROM user WHERE email= '{$mysqli->real_escape_string($_POST['Username'])}'  AND password= '{$mysqli->real_escape_string($_POST['Password'])}'  LIMIT 1";
        $res = mysql_query($sql);
        if (mysql_num_rows($res) == 1) {
            echo "YOu have log in";
            exit();
        } else {
            echo "not log in";
            exit();
        }
}
?>

和我的Bootstrap代碼：

</head>
<body class="gray-bg">
    <div class="middle-box text-center loginscreen animated fadeInDown">
        <div>
            <h3>Welcome</h3>
            <p>Login to your account.</p>
            <form method="post" class="m-t" role="form">
                <div class="form-group">
                    <input type="email" class="form-control" name=Username required="">
                </div>
                <div class="form-group">
                    <input type="password" class="form-control" name=Password required="">
                </div>
                <button type="submit" class="btn btn-primary block full-width m-b">Login</button>
            </form>
        </div>
    </div>
    </body>
</head>

它給了我3錯誤：

警告：mysql_query（）：在第7行的/home/cc/public_html/MIS_cc/login.php中拒絕用戶“ @'localhost”（使用密碼：NO）的訪問

警告：mysql_query（）：在第7行的/home/cc/public_html/MIS_cc/login.php中無法建立到服務器的鏈接

警告：mysql_num_rows（）期望參數1為資源，第9行的/home/cc/public_html/MIS_cc/login.php中給出的布爾值無法登錄

Answer 1

對於您的編碼，將其更改為：

<?php

if (isset($_POST['Username'])) {
    $sql = "SELECT * FROM user WHERE email= '{$mysqli->real_escape_string($_POST['Username'])}'  AND password= '{$mysqli->real_escape_string($_POST['Password'])}'  LIMIT 1";
    $res = mysqli_query($mysqli , $sql); // Edited this line
    if (mysqli_num_rows($res) == 1) { //Edited this line
        echo "YOu have log in";
        exit();
    } else {
        echo "not log in";
        exit();
    }
}
?>

但是，您實際上應該考慮使用准備好的語句，因為轉義字符串不足以保護自己免受sql注入。

使用代碼使用預准備語句的示例：

<?php

if(isset($_POST['Username'])) {
    $username = $mysqli->real_escape_string($_POST['Username']);
    $password = $mysqli->real_escape_string($_POST['Password']);

    // Wrapping the prepared statement in an IF so if the sql statement is wrong it will return false and allows for error handling.
    if ($stmt = $mysqli->prepare("SELECT * FROM user WHERE email = ? AND password = ? LIMIT 1")) {

        // Bind the above $username and $password to the prepared query
        $stmt->bind_param('ss', $username, $password);

        // Execute the prepared query.
        $stmt->execute()

        // Store result of prepared statement
        $stmt->store_result();

        if ($stmt->num_rows == 1) { 
            echo "You have logged in.";
            exit();
        } else {
            echo "Log in failed.";
            exit();
        }
        $stmt->close();
    }
}