从SQL数据库获取mysql和php的信息

时间:2012-11-13 20:42:42

标签: php mysql sql

我正在尝试在PHP中创建一个登录类,从SQL DB获取信息。到目前为止,这是我的代码:

class login {
    function __construct($username, $password) {
        $this->username = $username;
        $this->password = $password;

        $this->check();
    }

    function check() {
        $query = "
            SELECT
                User.username
            FROM
                User
            WHERE
                User.username = ".(string)$this->username."
            AND
                User.pass = ".(string)$this->password."
                ;";

        $con = mysql_connect('localhost','root','root');
        mysql_select_db('User', $con);
        $result = mysql_query($query);
        $result = mysql_fetch_array($result);

        if(!isset($_SESSION)) session_start();
        if(isset($result)) $_SESSION['username'] = $result['username'];

        mysql_close($con);

        header('Location: ../../');
    }

}

我收到这些错误:

Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in login.php on line 26

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at login.php:26) in login.php on line 28

Warning: Cannot modify header information - headers already sent by (output started at login.php:26) in login.php on line 33

如果我在终端中运行MYSQL代码,我会得到正确答案。所以我不明白为什么它在PHP中不起作用。

略微更新的代码;相同的错误:

class login {
    function __construct($username, $password) {
        (string)$this->username = $username;
        (string)$this->password = $password;

        $this->check();
    }

    function check() {
        $query = "
            SELECT
                User.username
            FROM
                User
            WHERE
                User.username = '".mysql_real_escape_string((string)$this->username)."'
            AND
                User.pass = '".mysql_real_escape_string((string)$this->password)."'
                ;";

        $con = mysql_connect('localhost','root','root');
        mysql_select_db('User', $con);
        $result = mysql_query($query);

        if (!$result) {
            die('MySQL Error: ' . mysql_error());
        }

        $result = mysql_fetch_array($result);

        if(!isset($_SESSION)) session_start();
        if(isset($result)) $_SESSION['username'] = $result['username'];

        mysql_close($con);

        header('Location: ../../');
    }

}

2 个答案:

答案 0 :(得分:1)

您正在运行的SQL语句将出现错误,因为您按字面意义而不是字符串包含用户名和密码(即缺少引号)。

    $query = "
            SELECT
                User.username
            FROM
                User
            WHERE
                User.username = '".mysql_real_escape_string((string)$this->username)."'
            AND
                User.pass = '".mysql_real_escape_string((string)$this->password)."'
                ;";

在尝试使用如下结果之前,您可以检查查询中的错误:

$result = mysql_query($query);
if (!result) {
     die('MySQL Error: ' . mysql_error()); // this will print the MySQL error message
}

此外,您不应再使用mysql_函数,因为它们已经过时且不安全。您应该使用mysqli或PDO以及准备好的语句。 mysqli非常简单,可以替代mysql _。

http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php

答案 1 :(得分:0)

如上所述,您应该在查询中引用字符串。现在,$result = mysql_query($query)将导致false。所以你得到了第一个错误(Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in login.php on line 26 )。第一个错误会触发第二个错误(headers already sent),第三个错误会触发第二个错误。 然后,您将$ result分配两次。这可能是一个错字。 另外,在构造函数中将$ this-> username和$ this-> pasword转换为字符串,如下所示:

function __construct($username, $password) {
        $this->username = (string)$username;
        $this->password = (string)$password;

        $this->check();
    }

这样你可以像这样编写查询:

$query = "
            SELECT
                User.username
            FROM
                User
            WHERE
                User.username = '{$this->username}'
            AND
                User.pass = '{$this->password}'
                ";