未定义的变量:num

时间:2013-03-05 11:49:11

标签: php mysql pdo

我正在尝试创建一个简单的登录系统,我正在查询用户提供的用户名是否存在于数据库中。但是我无法获取rowcount.İ继续获取未定义的变量num:error.I also尝试使用,

$num = $stmt->rowCount();

然而,我得到一个非对象错误的成员函数rowCount()调用。我是一个非常新的PHP和Web开发,这让我很困惑,我不知道怎么让它工作可以有人请帮我?这是db.php文件的代码

<?php
require "config.php";


function DBconnect($config) {
    try {
        $conn = new PDO('mysql:host=localhost;dbname=' . $config['database'],
                        $config['username'],
                        $config['password']);

        $conn->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

        return $conn;
    } catch(Exception $e) {
        return false;
    }
}

function query($query, $bindings, $conn) {
    $stmt = $conn->prepare($query);
    $stmt->execute($bindings);

    return $stmt;
}

这是index.php文件的代码,它是登录页面。

<?php

// Allow sessions to be passed so we can see if the user is logged in
session_start();

// include the necessary files
require "db.php";
require "functions.php";
include "index.view.php";


//conect to the database so we can check, edit or ,data to our users table
$conn = DBconnect($config);

// if the user has submitted the form
if( $_SERVER["REQUEST_METHOD"] === "POST") {

    //protect the posted value then store them to variables
    $username = protect($_POST["username"]);
    $password = protect($_POST["password"]);

    //Check if the username or password boxes were not filled in
    if ( !$username || !$password ){
        // if not display an error message.
        echo "You need to fill in a username and password!";
    }else
        // if correct continue cheking

        //select all the rows where the username and password match the ones submitted by the user
        query(  "SELECT * FROM users WHERE username = :username",
                array("username" => $username),
                $conn);
        $num = $stmt->fetchColumn(); 


        //check if there was not a match
        if( $num == 0) {
            //if not display an error message
            echo "The username you entered does not exist!";
        }else{
            //if there was a mactch continue chekcing

            //select all rows where the username and password match the ones submitted by the user
            query( "SELECT * FROM users WHERE username =:username && password = :pasword",
                    array("username" => $username, "password" => $password ),
                    $conn);
            $num = $stmt->fetchColumn();    

            //check if there was not a match
            if( $num == 0) {
                //if not display error message
                echo "Username and password do not mactch";
            }else {
                //if there was continue checking

                //split all the fields from the correct row into an associative array
                $row = $user->fetch(PDO::FETCH_ASSOC);
                //check to see if the user has not activated their account
                if($row["active"] != 1) {
                    //if not display an error message
                    echo "You have not yet activated your account!";
                }else {
                    //if so then log them in

                    // set the login session storing their id. We use this to
                    // see if they are logged in or not.
                    $_SESSION["uid"] = $row["id"];
                    //show message confirming that they are loggd in
                    echo "You have succesfully logged in!";
                    //update the online field to 50 seconds in the future
                    $time = date("u")+50;
                    query( "UPDATE users SET online = :time WHERE id = :id",
                            array("time" => $time, "id" => $_SESSION["uid"]),
                            $conn);
                    //redirect them to the usersonline page
                    header("Location: usersOnline.php");
                }
            }


    }
}

3 个答案:

答案 0 :(得分:2)

您错过了抓取$stmt作为query()的返回值。将呼叫更改为:

$stmt = query(....);
$num = $stmt->rowCount();

请注意,提供有关

的详细通知被视为不安全
  • 用户名错误
  • 密码错误
  • 两者都错了。

如果您这样做,攻击者很容易获得有效的用户名。拥有用户名的Onece需要更少的工作来获取有效帐户的密码。

此外,我不会使用rowCount(),因为每个数据库驱动程序都不会返回行数。因此,如果您曾经使用过不同的数据库,代码可能会失败。

将查询更改为:

SELECT count(*) AS number_of_rows, * FROM users WHERE username =:username && password = :pasword"

...然后获取&#39; number_of_rows&#39;从结果集中:

if ( !$username || !$password ){
    // if not display an error message.
    echo "You need to fill in a username and password!";
}else

    //select the number of rows where the username and password match the ones submitted by the user
    query(  "SELECT count(*) as number_of_records, * FROM users WHERE username = :username AND password = :password",
            array("username" => $username, "password" => "$password"),
            $conn);
    $record = $stmt->fetch();
    if($record['number_of_records'] !== '1') {
        echo 'wrong username and / or password';
    }
}

进一步说明:不要在数据库中存储未经授权的密码

相反,您应该存储由 salted 单向散列函数(如sha1或md5)散列的密码。为简洁起见,我在这里不举一个例子。我会谷歌这个或在SO上问另一个问题。

答案 1 :(得分:1)

您的query()函数返回一个语句,但您没有保存返回值,而不是从您调用它的位置。

更改

query(.....);


$stmt = query(.....);

答案 2 :(得分:0)

我受不了这么臃肿的代码。 所以,这是一个正确的版本,没有所有无用且不必要和错误的代码:

if( $_SERVER["REQUEST_METHOD"] == "POST") {
    $sql = "SELECT id,active FROM users WHERE username=? && password=?";
    $stm = query($sql, array($_POST["username"], $_POST["password"]), $conn);
    $row = $stm->fetch(PDO::FETCH_ASSOC);
    if(!$row) {
        echo "Username and password do not mactch";
    } elseif($row["active"] != 1) {
        echo "You have not yet activated your account!";
    } else {
        $_SESSION["uid"] = $row["id"];
        $time = date("u")+50;
        $sql  = "UPDATE users SET online=? WHERE id=?";
        query($sql, array($time, $row["id"]), $conn);
        header("Location: usersOnline.php");
        exit;
    }
}
相关问题
最新问题