[英]Convert a MYSQL* query into a PDO ready statement with placeholders
[英]convert mysql to PDO statement
這是使用MySQL方式編寫的登錄功能,但是當轉換為PDO方式時存在問題
MYSQL:
<?
function confirmUser($username, $password){
global $conn;
if(!get_magic_quotes_gpc()) {
$username = addslashes($username);
}
/* Verify that user is in database */
$q = "select UserID,UserPW from user where UserID = '$username'";
$result = mysql_query($q,$conn);
if(!$result || (mysql_numrows($result) < 1)){
return 1; //Indicates username failure
}
/* Retrieve password from result, strip slashes */
$dbarray = mysql_fetch_array($result);
$dbarray['UserPW'] = stripslashes($dbarray['UserPW']);
$password = stripslashes($password);
/* Validate that password is correct */
if($password == $dbarray['UserPW']){
return 0; //Success! Username and password confirmed
}
else{
return 2; //Indicates password failure
}
}
PDO:
<?
function confirmUser($username, $password){
global $conn;
include("connection/conn.php");
$sql = '
SELECT COALESCE(id,0) is_row
FROM user
WHERE UserID = ?
LIMIT 1
';
$stmt = $conn->prepare($sql);
$stmt->execute(array('09185346d'));
$row = $stmt->fetch();
if ($row[0] > 0) {
$sql = '
SELECT COALESCE(id,1) is_row
FROM user
WHERE UserPW = ?
LIMIT 1
';
$stmt = $conn->prepare($sql);
$stmt->execute(array('asdasdsa'));
$row = $stmt->fetch();
if ($row[0] > 0)
return 2;
else
return 0;
}
elseif ($row[0] = 0)
{return 1;}
}
問題是什么 ?? 並且有必要在PDO中包含bind參數嗎??? 謝謝
除了對global
的使用以及函數中的include
之外(您應該研究構造函數的另一種方法,不要這樣做),我將代碼更改如下:
$sql =
'SELECT id
FROM user
WHERE UserID = ?
AND UserPW = ?
LIMIT 1';
$stmt = $conn->prepare($sql);
$stmt->execute(array(
'09185346d',
'asdasdsa'
));
if ($stmt->rowCount() == 1) {
return 0;
}
else {
return 1;
}
組合查詢以給出一般的身份驗證錯誤,而不是讓人們先試用有效的用戶名,有效密碼,再使用PDOStatements rowCount
方法來查看是否返回了行。
為了回答您的第二部分,沒有必要專門使用bindParam
來防止SQL注入。
這是bindParam
和bindValue
之間的區別的簡單示例
$param = 1;
$sql = 'SELECT id FROM myTable WHERE myValue = :param';
$stmt = $conn->prepare($sql);
使用bindParam
$stmt->bindParam(':param', $param);
$param = 2;
$stmt->execute();
在myTable的SELECT ID中,myValue = '2'
使用bindValue
$stmt->bindValue(':param', $param);
$param = 2;
$stmt->execute();
在myTable的SELECT ID中,myValue = '1'
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.