请帮助我将 PDO 从旧 mysql 转换为此代码 [关闭]

【问题标题】:Please help me to convert PDO from old mysql to this code [closed]请帮助我将 PDO 从旧 mysql 转换为此代码 [关闭]
【发布时间】:2013-04-30 13:59:38
【问题描述】:

我是 MySQL 和 PHP 的新手。我一直在从事一个类似于某种博客的项目。但我听说旧的 MySQL 容易受到攻击或容易被黑客入侵。所以有人建议我使用 PDO。但我很困惑如何将此代码转换为 PDO。请帮帮我。

<?php

//Start session
session_start();

//Include database connection details
require_once('scripts/dblog.php');

//Array to store validation errors
$errmsg_arr = array();

//Validation error flag
$errflag = false;

//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
   $str = @trim($str);
   if(get_magic_quotes_gpc()) {
      $str = stripslashes($str);
   }
   return mysql_real_escape_string($str);
}

//Sanitize the POST values
$username = clean($_POST['username']);
$password = clean($_POST['password']);

//Input Validations
if($username == '') {
   $errmsg_arr[] = 'Username missing';
   $errflag = true;
}

if($password == '') {
   $errmsg_arr[] = 'Password missing';
   $errflag = true;
}

//If there are input validations, redirect back to the login form
if($errflag) {
   $_SESSION['ERRMSG_ARR'] = $errmsg_arr;
   session_write_close();
   header("location: login.php");
   exit();
}

//Create query
$qry="SELECT * FROM member WHERE BINARY username='$username' AND BINARY password='$password'";
$result=mysql_query($qry);

//Check whether the query was successful or not
if($result) {
   if(mysql_num_rows($result) > 0) {
      //Login Successful
      session_regenerate_id();
      $member = mysql_fetch_assoc($result);
      $_SESSION['SESS_MEMBER_ID'] = $member['mem_id'];
      $_SESSION['SESS_FIRST_NAME'] = $member['username'];
      $_SESSION['SESS_LAST_NAME'] = $member['password'];

      session_write_close();
      header("location: post.php");
      exit();
   } else {
      //Login failed
      $errmsg_arr[] = '<div class="alert alert-error">user name and password not found</div>';
      $errflag = true;
      if($errflag) {
         $_SESSION['ERRMSG_ARR'] = $errmsg_arr;
         session_write_close();
         header("location: login.php");
         exit();
      }
   }
} else {
   die("Query failed");
}
?>

【问题讨论】:

  • 您实际需要什么帮助?为你重写这段代码?
  • 如果可能的话......如果不是,那么至少告诉我使用该代码是否过时并且易于破解?

标签: php mysql sql pdo database-connection


【解决方案1】:

没有人可能会简单地为您编写所有代码,但是我会给您一个非常好的工具来帮助您自己完成:http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers,这样您甚至可以学习 PDO 背后的理论并做好准备声明:)

【讨论】:

    【解决方案2】:

    虽然这个问题过于本地化并且has been asked MANY times already - 只是为了向您展示更好的做法

    • 您需要绑定参数。
    • 最好少写代码。它会节省你打字的时间
    • 按照tag wiki 中的说明进行连接

    所以,给你

    session_start();
require_once('scripts/dblog.php');

$sql = "SELECT * FROM member WHERE username=? AND password=?";
$stm = $pdo->prepare($sql);
$stm->execute($_POST);
$row = $stm->fetch();

if($row) {
    session_regenerate_id();
    $_SESSION['user'] = $row;
    $loc ='post.php';
} else {
    $_SESSION['ERRMSG_ARR'] = 'user name and password not found';
    $loc ='login.php';
}
session_write_close();
header("location: $loc");

    【讨论】:

      【解决方案3】:

      希望对你有帮助

      <?php
try {
    $dbh=new PDO('mysql:host=localhost;dbname=mysql','user','pass');

    $qry="SELECT * FROM member WHERE BINARY username='$username' AND BINARY password='$password'";
    //$result=mysql_query($qry);
    $result=$dbh->query($qry);
}catch (PDOException $e){
    print "PDO ERROR :".$e->getMessage()."<br/>";
    die();
}






//Check whether the query was successful or not
if($result) {
    if($result->rowCount() > 0) {
        //Login Successful
        session_regenerate_id();
        $member = $result->fetchAll(PDO::FETCH_ASSOC);
        $_SESSION['SESS_MEMBER_ID'] = $member['mem_id'];
        $_SESSION['SESS_FIRST_NAME'] = $member['username'];
        $_SESSION['SESS_LAST_NAME'] = $member['password'];
        session_write_close();
        header("location: post.php");
        exit();
    }else {
        //Login failed
        $errmsg_arr[] = '<div class="alert alert-error">user name and password not found</div>';
        $errflag = true;
        if($errflag) {
            $_SESSION['ERRMSG_ARR'] = $errmsg_arr;
            session_write_close();
            header("location: login.php");
            exit();
        }
    }
}else {
    die("Query failed");
}
$dbh=null; //close pdo
?>

      【讨论】:

        【解决方案4】:

        您需要创建一个包含数据源名称的 PDO 对象,该名称是这样的字符串:

        $dsn = "mysql:dbname=DATABASENAME;host=localhost;";

        你像这样创建 PDO 对象,这基本上是 mysql_connect() 的等价物:

        $database = new PDO($dsn, "Username", "Password");

        要执行您使用的查询:(相当于 mysql_query())

        $query = $database->query("SELECT * FROM table where name = ?", ['Test']);

        获取结果使用(mysql_fetch_array() 的等效项)$query-&gt;fetchAll(PDO::FETCH_OBJ);

        【讨论】:

        • 非常感谢。 :-) 对 PDO 有了更清晰的认识。
        猜你喜欢
        • 2014-12-12
        • 1970-01-01
        • 1970-01-01
        • 2018-08-09
        • 1970-01-01
        • 2023-03-03
        • 1970-01-01
        • 2020-11-07
        • 1970-01-01
        相关资源
        最近更新 更多
        热门标签
        Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode