我正在尝试将所有查询重写为PDO格式。 目前我正在尝试重写此功能,但我似乎无法让它工作。
mysql_query函数
function checkLogin() {
$this->sQuery = "SELECT * FROM users
WHERE gebruikersnaam='" . mysql_real_escape_string($_POST['gebruikersnaam']) . "'
AND wachtwoord = '" . sha1($_POST['wachtwoord']) . "'";
$this->rResult = mysql_query($this->sQuery)
or die("Er is iets misgegaan " . mysql_error());
if (mysql_num_rows($this->rResult) == 1) { // login name was found
$this->aRow = mysql_fetch_assoc($this->rResult);
$_SESSION['gebruiker'] = $this->aRow['voornaam'];
header("location: dashboard.php");
}
}
这就是我与PDO的距离:
function checkLoginPDO(){
$connect = new PDO(host, username, password); // Database Connectie maken (De host, username & password zijn in de config.php aan te passen)
$sql = "SELECT * FROM users
WHERE gebruikersnaam='" . mysql_real_escape_string($_POST['gebruikersnaam']) . "'
AND wachtwoord = '" . sha1($_POST['wachtwoord']) . "'";
$value = $connect->prepare($sql); //Een variabele aanmaken die de PDO vast houdt. Vervolgens word de code voorbereid door de prepare functie
$value->execute();
if(mysql_num_rows($value->fetch()) == 1){
$_SESSION['gebruiker'] = $row['voornaam'];
header("location: dashboard.php");
}
}
我做错了什么/遗忘?
提前致谢!
答案 0 :(得分:2)
它应该是这样的:
function checkLoginPDO(){
$connect = new PDO(host, username, password); // Database Connectie maken (De host, username & password zijn in de config.php aan te passen)
// define sql query string with special placeholders in the form of ?
$sql = "SELECT * FROM users
WHERE gebruikersnaam=?
AND wachtwoord =?";
// prepare statement based on sql query string
$statement = $connect->prepare($sql);
// bind first question mark with value from $_POST, first question mark will be replaced with that value
$statement->bindParam(1, $_POST['gebruikersnaam']);
// do the same for second question mark
$statement->bindParam(2, sha1($_POST['wachtwoord']));
// execute this prepared statement with binded values
$statement->execute();
// fetch row from the result in the form of associated array
if(($row = $statement->fetch(PDO::FETCH_ASSOC))){
$_SESSION['gebruiker'] = $row['voornaam'];
header("location: dashboard.php");
}
// free statement memory
$statement = null;
}
注意:代码未经过测试。
编辑,添加说明: 使用PDO时,您应该使用它来处理查询和数据库。使用任何mysql_ *函数都不是最佳方法。
答案 1 :(得分:1)
首先,确定您需要哪种类型的错误处理。 PDO默认为PDO::ERRMODE_SILENT
,这意味着您不会收到任何错误。我建议您使用PDO::ERRMODE_EXCEPTION
,这意味着您需要使用代码周围的try { ... } catch() { ... }
块。
其次,当您使用PDO时,您无法使用mysql_*
功能。因此使用mysql_real_escape_string
是不正确的。此外,因为您使用预准备语句,所以根本不需要任何SQL注入保护。但您需要使用param binding。
第7行还有一些mysql_query
...
PDO没有mysql_num_rows
功能的内置版本。您应该在查询中添加COUNT(*)
语句。另请参阅this answer
答案 2 :(得分:0)
function checkLoginPDO(){
$connect = new PDO(host, username, password); // Database Connectie maken (De host, username & password zijn in de config.php aan te passen)
$sql = "SELECT * FROM users
WHERE gebruikersnaam=:gebruikersnaam
AND wachtwoord = :wachtwoord";
$value = $connect->prepare($sql);
$value->bind(':gebruikersnaam',$_POST['gebruikersnaam']);
$value->bind(':wachtwoord',sha1($_POST['wachtwoord']));
$value->execute();
$data = $value->fetchAll();
if(count($data) > 0){
$_SESSION['gebruiker'] = $data[0]['voornaam'];
header("location: dashboard.php");
}
}
答案 3 :(得分:0)
登录功能现在可以创造奇迹!多谢你们! 我刚刚完成了我的图像上传脚本,它将文件名写入数据库。 它有效,但是从sql-injection这样的东西安全吗?
我目前正在研究我的上一个研究项目,其中安全性是一个大问题。 如果我能够关闭一个共同的安全CMS,我会获得程序员的学位:)
这是功能:
function uploadImage() {
$dir = $_SERVER['DOCUMENT_ROOT'] . 'pvb/upload/';
$allowedExts = array("jpg", "jpeg", "gif", "png");
$extension = end(explode(".", $_FILES["file"]["name"]));
if ((($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/jpeg")
|| ($_FILES["file"]["type"] == "image/png")
|| ($_FILES["file"]["type"] == "image/pjpeg"))
&& ($_FILES["file"]["size"] < 2000000)
&& in_array($extension, $allowedExts)) {
if ($_FILES["file"]["error"] > 0) {
echo "Return Code: " . $_FILES["file"]["error"] . "<br>";
} else {
if (file_exists($dir . $_FILES["file"]["name"])) {
echo $_FILES["file"]["name"] . " already exists. ";
} else {
move_uploaded_file($_FILES["file"]["tmp_name"], $dir . $_FILES["file"]["name"]);
$this->createThumbs($dir, $dir . "thumbs/", 100);
$connect = new PDO(host, username, password); // Database Connectie maken (De host, username & password zijn in de config.php aan te passen)
$sql = "INSERT INTO afbeeldingen (img_naam) VALUES (:naam)";
$value = $connect->prepare($sql);
$value->bindValue(":naam", $_FILES['file']['name'], PDO::PARAM_STR);
$value->execute();
$connect = null;
}
}
} else {
echo "Invalid file";
}
}