Question

我正在尝试在PHP中创建一个登录类，从SQL DB获取信息。到目前为止，这是我的代码：

class login {
    function __construct($username, $password) {
        $this->username = $username;
        $this->password = $password;

        $this->check();
    }

    function check() {
        $query = "
            SELECT
                User.username
            FROM
                User
            WHERE
                User.username = ".(string)$this->username."
            AND
                User.pass = ".(string)$this->password."
                ;";

        $con = mysql_connect('localhost','root','root');
        mysql_select_db('User', $con);
        $result = mysql_query($query);
        $result = mysql_fetch_array($result);

        if(!isset($_SESSION)) session_start();
        if(isset($result)) $_SESSION['username'] = $result['username'];

        mysql_close($con);

        header('Location: ../../');
    }

}

我收到这些错误：

Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in login.php on line 26

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at login.php:26) in login.php on line 28

Warning: Cannot modify header information - headers already sent by (output started at login.php:26) in login.php on line 33

如果我在终端中运行MYSQL代码，我会得到正确答案。所以我不明白为什么它在PHP中不起作用。

略微更新的代码;相同的错误：

class login {
    function __construct($username, $password) {
        (string)$this->username = $username;
        (string)$this->password = $password;

        $this->check();
    }

    function check() {
        $query = "
            SELECT
                User.username
            FROM
                User
            WHERE
                User.username = '".mysql_real_escape_string((string)$this->username)."'
            AND
                User.pass = '".mysql_real_escape_string((string)$this->password)."'
                ;";

        $con = mysql_connect('localhost','root','root');
        mysql_select_db('User', $con);
        $result = mysql_query($query);

        if (!$result) {
            die('MySQL Error: ' . mysql_error());
        }

        $result = mysql_fetch_array($result);

        if(!isset($_SESSION)) session_start();
        if(isset($result)) $_SESSION['username'] = $result['username'];

        mysql_close($con);

        header('Location: ../../');
    }

}

Answer 1

您正在运行的SQL语句将出现错误，因为您按字面意义而不是字符串包含用户名和密码（即缺少引号）。

    $query = "
            SELECT
                User.username
            FROM
                User
            WHERE
                User.username = '".mysql_real_escape_string((string)$this->username)."'
            AND
                User.pass = '".mysql_real_escape_string((string)$this->password)."'
                ;";

在尝试使用如下结果之前，您可以检查查询中的错误：

$result = mysql_query($query);
if (!result) {
     die('MySQL Error: ' . mysql_error()); // this will print the MySQL error message
}

此外，您不应再使用mysql_函数，因为它们已经过时且不安全。您应该使用mysqli或PDO以及准备好的语句。 mysqli非常简单，可以替代mysql _。

http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php

Answer 2

如上所述，您应该在查询中引用字符串。现在，$result = mysql_query($query)将导致false。所以你得到了第一个错误(Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in login.php on line 26 )。第一个错误会触发第二个错误(headers already sent)，第三个错误会触发第二个错误。然后，您将$ result分配两次。这可能是一个错字。另外，在构造函数中将$ this-＆gt; username和$ this-＆gt; pasword转换为字符串，如下所示：

function __construct($username, $password) {
        $this->username = (string)$username;
        $this->password = (string)$password;

        $this->check();
    }

这样你可以像这样编写查询：

$query = "
            SELECT
                User.username
            FROM
                User
            WHERE
                User.username = '{$this->username}'
            AND
                User.pass = '{$this->password}'
                ";

从SQL数据库获取mysql和php的信息

2 个答案: