我正在尝试将用户组添加到我的登录系统中,但每当我将最后一列添加到脚本中时,它都会破坏所有内容。我试图将它添加到我的prepare语句并将其绑定到一个变量,然后将值存储到$ _SESSION变量中。我不知道我在哪里出错了。
在添加最后一列之前,这是我的代码:
function login($email, $password, $mysqli)
{
if($stmt = $mysqli->prepare("SELECT id, username, password, salt FROM members WHERE email=? LIMIT 1"))
{
$stmt->bind_param('s', $email);
$stmt->execute();
$stmt->store_result();
$stmt->bind_result($user_id, $username, $db_password, $salt);
$stmt->fetch();
$password= hash('key', $password . $salt);
if ($stmt->num_rows == 1)
{
if(checkbrute($user_id, $mysqli) == true)
{
//account is locked
//send email to user saying acc is locked
return false;
}
else
{
if($db_password == $password)
{
//password is correct
//get useragent string of the user
$user_browser = $_SERVER['HTTP_USER_AGENT'];
//XSS protect as we might print this value
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
$_SESSION['user_id'] = $user_id;
//XSS protect as we might print this value.
$username = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $username);
$_SESSION['username'] = $username;
$_SESSION['login_string'] = hash('key', $password . $user_browser);
//login successful
return true;
}
else
{
//password is not correct
//we record this attempt in the db
$now = time();
$mysqli->query("INSERT INTO login_attempts(user_id, time) VALUES ('$user_id, '$now')");
return false;
}
}
}
else
{
//no user exists.
return false;
}
}
}
以下是:
function login($email, $password, $mysqli)
{
if($stmt = $mysqli->prepare("SELECT id, username, password, salt, group FROM members WHERE email=? LIMIT 1"))
{
$stmt->bind_param('s', $email);
$stmt->execute();
$stmt->store_result();
$stmt->bind_result($user_id, $username, $db_password, $salt, $usr_group);
$stmt->fetch();
$password= hash('key', $password . $salt);
if ($stmt->num_rows == 1)
{
if(checkbrute($user_id, $mysqli) == true)
{
//account is locked
//send email to user saying acc is locked
return false;
}
else
{
if($db_password == $password)
{
//password is correct
//get useragent string of the user
$user_browser = $_SERVER['HTTP_USER_AGENT'];
//XSS protect as we might print this value
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
$_SESSION['user_id'] = $user_id;
//XSS protect as we might print this value.
$username = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $username);
$_SESSION['username'] = $username;
$_SESSION['user_group'] = $usr_group;
$_SESSION['login_string'] = hash('key', $password . $user_browser);
//login successful
return true;
}
else
{
//password is not correct
//we record this attempt in the db
$now = time();
$mysqli->query("INSERT INTO login_attempts(user_id, time) VALUES ('$user_id, '$now')");
return false;
}
}
}
else
{
//no user exists.
return false;
}
}
}
对此的任何帮助将不胜感激。
答案 0 :(得分:2)
group是mysql中的reserved word,尝试用反引号`包装它(或者避免在表模式中使用该术语):
"SELECT id, username, password, salt, `group` FROM members WHERE email=? LIMIT 1"
答案 1 :(得分:0)
避免使用group,因为这是SQL中的保留字。
将您的陈述更改为: SELECT id,username,password,salt,usergroup FROM members WHERE email =?限制1
这意味着您需要重命名列: ALTER TABLE成员RENAME COLUMN组到用户组;