通过 php 和 sql 检查帐户详细信息

Question

我最近刚刚开始使用 php，我正在测试我的新知识，尝试使用数据库来存储用户名和密码来制作一个简单的登录页面。一切顺利，但我遇到了一堵巨大的墙！出于某种原因，我的 fetch 方法 $result = $stmt->fetch(); 没有返回任何结果，即使我在 phpmyadmin 中运行 sql 查询它返回一行就好了！这与我从表单或加密获取输入的方式有关吗？

这是我的完整代码。谢谢大家温柔我是全新的哈哈

<?php 
include 'inc/db.inc.php';
$link = new PDO(DB_INFO, DB_USER, DB_PASS);

?>

<!DOCTYPE html>
<!--[if lt IE 7]> <html class="no-js lt-ie9 lt-ie8 lt-ie7" lang="en"> <![endif]-->
<!--[if IE 7]>    <html class="no-js lt-ie9 lt-ie8" lang="en"> <![endif]-->
<!--[if IE 8]>    <html class="no-js lt-ie9" lang="en"> <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en"> <!--<![endif]-->
<head>
  <meta charset="utf-8">

  <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">

  <title></title>
  <meta name="description" content="">

  <meta name="viewport" content="width=device-width">


  <link rel="stylesheet" href="css/style.css">

<script src="js/libs/modernizr-2.5.3.min.js"></script>
</head>
<body>
<?php
if($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST['register'])) {
$sql = "INSERT INTO account (account_name, account_pass) VALUES (:name, :pass)";
$stmt = $link->prepare($sql);
$stmt->bindParam(':name', $name);
$stmt->bindParam(':pass', $pass);
$name = $_POST["username"];
$pass = md5($_POST["password"]);
$stmt->execute();

echo "Thank you for registering!";
} else if ($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST['login'])) {
$sql = "SELECT account_name, account_pass FROM account WHERE account_name=:name AND account_pass=:pass";
$stmt = $link->prepare($sql);
$stmt->bindParam(':name', $name, PDO::PARAM_STR);
$stmt->bindParam(':pass', $pass, PDO::PARAM_STR);
$pass = strip_tags(md5($_POST["password"]));
$name = strip_tags($_POST["username"]);
$stmt->execute();
$result = $stmt->fetch();
print_r($result);

if(empty($name) || empty($pass)){
echo "please enter a username and password!";
} else {
if(empty($result)){

echo "yes";
} else {
echo "no";
}
}

} else {
?>
<form method="post" action="test.php">
<label for="username">Username: </label>
<input type="text" name="username" />
<label for="password">Password: </label>
<input type="password" name="password" />
<input type="submit" name="login" value="Login" />
<input type="submit" name="register" value="register" />
</form>
<?php } ?>
</body>
</html> 

Answer 1

您正在对尚未设置的变量使用$stmt->bindParam。像这样调整你的代码：

$sql = "SELECT account_name, account_pass FROM account WHERE account_name=:name AND account_pass=:pass";
$pass = strip_tags(md5($_POST["password"]));
$name = strip_tags($_POST["username"]);
$stmt = $link->prepare($sql);
$stmt->bindParam(':name', $name, PDO::PARAM_STR); // $name needs to be set before this
$stmt->bindParam(':pass', $pass, PDO::PARAM_STR); // $pass needs to be set before this
$stmt->execute();
$result = $stmt->fetch();
print_r($result);

Answer 2

绑定参数之前不用设置变量吗？

$pass = strip_tags(md5($_POST["password"]));
$name = strip_tags($_POST["username"]);
$stmt->bindParam(':name', $name, PDO::PARAM_STR);
$stmt->bindParam(':pass', $pass, PDO::PARAM_STR);

Answer 3

你的做事方式非常有趣。呵呵。

我会做类似的事情

$resource = mysql_query($sql);
if(!$resource){
  die("query error: ".mysql_error());
}
$count = mysql_num_rows($resource);
if($count > 0){
  //match found.
}else{
  //incorrect login.
}

也许我只是不习惯你的语法