我正在尝试在PHP中创建一个登录类,从SQL DB获取信息。到目前为止,这是我的代码:
class login {
function __construct($username, $password) {
$this->username = $username;
$this->password = $password;
$this->check();
}
function check() {
$query = "
SELECT
User.username
FROM
User
WHERE
User.username = ".(string)$this->username."
AND
User.pass = ".(string)$this->password."
;";
$con = mysql_connect('localhost','root','root');
mysql_select_db('User', $con);
$result = mysql_query($query);
$result = mysql_fetch_array($result);
if(!isset($_SESSION)) session_start();
if(isset($result)) $_SESSION['username'] = $result['username'];
mysql_close($con);
header('Location: ../../');
}
}
我收到这些错误:
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in login.php on line 26
Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at login.php:26) in login.php on line 28
Warning: Cannot modify header information - headers already sent by (output started at login.php:26) in login.php on line 33
如果我在终端中运行MYSQL代码,我会得到正确答案。所以我不明白为什么它在PHP中不起作用。
略微更新的代码;相同的错误:
class login {
function __construct($username, $password) {
(string)$this->username = $username;
(string)$this->password = $password;
$this->check();
}
function check() {
$query = "
SELECT
User.username
FROM
User
WHERE
User.username = '".mysql_real_escape_string((string)$this->username)."'
AND
User.pass = '".mysql_real_escape_string((string)$this->password)."'
;";
$con = mysql_connect('localhost','root','root');
mysql_select_db('User', $con);
$result = mysql_query($query);
if (!$result) {
die('MySQL Error: ' . mysql_error());
}
$result = mysql_fetch_array($result);
if(!isset($_SESSION)) session_start();
if(isset($result)) $_SESSION['username'] = $result['username'];
mysql_close($con);
header('Location: ../../');
}
}
答案 0 :(得分:1)
您正在运行的SQL语句将出现错误,因为您按字面意义而不是字符串包含用户名和密码(即缺少引号)。
$query = "
SELECT
User.username
FROM
User
WHERE
User.username = '".mysql_real_escape_string((string)$this->username)."'
AND
User.pass = '".mysql_real_escape_string((string)$this->password)."'
;";
在尝试使用如下结果之前,您可以检查查询中的错误:
$result = mysql_query($query);
if (!result) {
die('MySQL Error: ' . mysql_error()); // this will print the MySQL error message
}
此外,您不应再使用mysql_函数,因为它们已经过时且不安全。您应该使用mysqli或PDO以及准备好的语句。 mysqli非常简单,可以替代mysql _。
http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php
答案 1 :(得分:0)
如上所述,您应该在查询中引用字符串。现在,$result = mysql_query($query)
将导致false
。所以你得到了第一个错误(Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in login.php on line 26
)
。第一个错误会触发第二个错误(headers already sent)
,第三个错误会触发第二个错误。
然后,您将$ result分配两次。这可能是一个错字。
另外,在构造函数中将$ this-> username和$ this-> pasword转换为字符串,如下所示:
function __construct($username, $password) {
$this->username = (string)$username;
$this->password = (string)$password;
$this->check();
}
这样你可以像这样编写查询:
$query = "
SELECT
User.username
FROM
User
WHERE
User.username = '{$this->username}'
AND
User.pass = '{$this->password}'
";