Question

我有一个网站可以轻松生成ProFTPD用户。现在，我正在保护我的网站免受SQL注入攻击，为此我正在使用预处理语句将所有mysqli查询更改为pdo查询。

但是我仍然无法找到，如何将sql查询结果保存在变量中。

.
.
.

username=$_POST['username'];

.
.
.

$pdo = new PDO('mysql:host=localhost;dbname='db', 'root', 'PW');
$query1= $pdo->prepare('select * from users where userid=:username');
$query1->execute(array('username' => $username));

foreach($query1 as $row)
{
 $result= $row->userid;
}


if($result == $username)
{
 echo "Username is already taken";
}

当我运行此代码时，变量$ result是emtpy。

我希望有人可以帮助我。

提前致谢。

Answer 1

即使您已经有了解决方案，您也可以找到使用PDO预处理语句和异常处理的完整示例：

备注：

不要提取所有字段，只需userid。限制只能获取一条记录。

始终使用exception handling来捕获并立即处理异常。

始终使用prepared statements来避免MySQL注入。

获取的数据数组中的项目作为普通数组项进行寻址。

“functions.php”包含所有需要的函数，并包含在“index.php”中。我没有给你一个OOP代码，但你应该实现一个而不是使用普通函数。我的代码是您的起点。

PDO准备的语句和PHP中的异常处理：

的index.php：

<?php require_once 'functions.php'; /* * ---------------- * Database configs * ---------------- */ define('MYSQL_HOST', '...'); define('MYSQL_PORT', '3306'); define('MYSQL_DATABASE', '...'); define('MYSQL_CHARSET', 'utf8'); define('MYSQL_USERNAME', '...'); define('MYSQL_PASSWORD', '...'); /* * ------------------------- * Start program * ------------------------- */ // Activate error reporting (only on development). activateErrorReporting(); try { // Validate user name. if (!isset($_POST['username'])) { throw new Exception('No user name provided!'); } // Get user name. $username = $_POST['username']; // Create db connection. $connection = createConnection( MYSQL_HOST , MYSQL_DATABASE , MYSQL_USERNAME , MYSQL_PASSWORD , MYSQL_PORT , MYSQL_CHARSET ); // Define sql statement. $sql = 'SELECT userid FROM users WHERE userid = :username LIMIT 1'; // Prepare and check sql statement (returns PDO statement). $statement = $connection->prepare($sql); if (!$statement) { throw new Exception('The SQL statement can not be prepared!'); } // Bind values to sql statement parameters. $statement->bindValue(':username', $username, getInputParameterDataType($username)); // Execute and check PDO statement. if (!$statement->execute()) { throw new Exception('The PDO statement can not be executed!'); } // Fetch person details. $fetchedData = $statement->fetchAll(PDO::FETCH_ASSOC); if (!$fetchedData) { throw new Exception('Fetching data failed!'); } closeConnection($connection); } catch (PDOException $pdoException) { // On development. printData($pdoException, TRUE); // On production. // echo $pdoException->getMessage(); exit(); } catch (Exception $exception) { // On development. printData($exception, TRUE); // On production. // echo $exception->getMessage(); exit(); } // For testing purposes. printData($fetchedData, TRUE); if (count($fetchedData) > 0) { echo 'Username is already taken'; }

的functions.php：

<?php /* * -------------------------------------------------- * Data access functions * -------------------------------------------------- */ /** * Create a new db connection. * * @param string $host Host. * @param string $dbname Database name. * @param string $username Username. * @param string $password Password. * @param string $port [optional] Port. * @param array $charset [optional] Character set. * @param array $options [optional] Driver options. * @return PDO Db connection. */ function createConnection($host, $dbname, $username, $password, $port = '3306', $charset = 'utf8', $options = array( PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION, PDO::ATTR_EMULATE_PREPARES => false, PDO::ATTR_PERSISTENT => true, )) { $dsn = getDsn($host, $dbname, $port, $charset); $connection = new PDO($dsn, $username, $password); foreach ($options as $key => $value) { $connection->setAttribute($key, $value); } return $connection; } /** * Create a mysql DSN string. * * @param string $host Host. * @param string $dbname Database name. * @param string $port [optional] Port. * @param array $charset [optional] Character set. * @return string DSN string. */ function getDsn($host, $dbname, $port = '3306', $charset = 'utf8') { $dsn = sprintf('mysql:host=%s;port=%s;dbname=%s;charset=%s' , $host , $port , $dbname , $charset ); return $dsn; } /** * Close a db connection. * * @param PDO $connection Db connection. * @return void */ function closeConnection($connection) { $connection = NULL; } /** * Get the data type of a binding value. * * @param mixed $value Binding value. * @return mixed Data type of the binding value. */ function getInputParameterDataType($value) { $dataType = PDO::PARAM_STR; if (is_int($value)) { $dataType = PDO::PARAM_INT; } elseif (is_bool($value)) { $dataType = PDO::PARAM_BOOL; } return $dataType; } /* * -------------------------------------------------- * Print functions * -------------------------------------------------- */ /** * Print data on screen. * * @param mixed $data Data to print. * @param bool $preformatted Print preformatted if TRUE, print normal otherwise. * @return void */ function printData($data, $preformatted = FALSE) { if ($preformatted) { echo '<pre>' . print_r($data, true) . '</pre>'; } else { echo $data; } } /* * -------------------------------------------------- * Error reporting functions * -------------------------------------------------- */ /** * Toggle error reporting. * * @param integer $level Error level. * @param bool $display_errors Display errors if TRUE, hide them otherwise. * @return void */ function activateErrorReporting($level = E_ALL, $display_errors = TRUE) { error_reporting($level); ini_set('display_errors', ($display_errors ? 1 : 0)); }

Answer 2

尝试改变

$query1= $pdo->prepare('select * from users where userid=:username');

到

$query1= $pdo->query('select * from users where userid=:username');

按如下方式访问数据

foreach($query1 as $row)
{
 $result= $row['userid'];
}

Answer 3

您应该使用PDOStatement :: fetch http://php.net/manual/en/pdostatement.fetch.php

php mysql pdo查询：用查询结果填充变量

3 个答案:

PDO准备的语句和PHP中的异常处理：

的index.php：

的functions.php：