将mysql_query转换为PDO

时间:2013-02-27 09:46:00

标签: php mysql pdo

我正在尝试将所有查询重写为PDO格式。 目前我正在尝试重写此功能,但我似乎无法让它工作。

mysql_query函数

    function checkLogin() {

    $this->sQuery = "SELECT * FROM users 
          WHERE gebruikersnaam='" . mysql_real_escape_string($_POST['gebruikersnaam']) . "'
          AND wachtwoord = '" . sha1($_POST['wachtwoord']) . "'";


    $this->rResult = mysql_query($this->sQuery)
            or die("Er is iets misgegaan " . mysql_error());


    if (mysql_num_rows($this->rResult) == 1) {  // login name was found            
        $this->aRow = mysql_fetch_assoc($this->rResult);
        $_SESSION['gebruiker'] = $this->aRow['voornaam'];

        header("location: dashboard.php");
    }
}

这就是我与PDO的距离:

       function checkLoginPDO(){
    $connect = new PDO(host, username, password); // Database Connectie maken (De host, username & password zijn in de config.php aan te passen)
    $sql = "SELECT * FROM users 
          WHERE gebruikersnaam='" . mysql_real_escape_string($_POST['gebruikersnaam']) . "'
          AND wachtwoord = '" . sha1($_POST['wachtwoord']) . "'"; 
    $value = $connect->prepare($sql); //Een variabele aanmaken die de PDO vast houdt. Vervolgens word de code voorbereid door de prepare functie
    $value->execute(); 
    if(mysql_num_rows($value->fetch()) == 1){
        $_SESSION['gebruiker'] = $row['voornaam'];
        header("location: dashboard.php");
    }
}

我做错了什么/遗忘?

提前致谢!

4 个答案:

答案 0 :(得分:2)

它应该是这样的:

function checkLoginPDO(){
    $connect = new PDO(host, username, password); // Database Connectie maken (De host, username & password zijn in de config.php aan te passen)
    // define sql query string with special placeholders in the form of ?
    $sql = "SELECT * FROM users 
      WHERE gebruikersnaam=?
      AND wachtwoord =?";
    // prepare statement based on sql query string
    $statement = $connect->prepare($sql);
    // bind first question mark with value from $_POST, first question mark will be replaced with that value
    $statement->bindParam(1, $_POST['gebruikersnaam']);
    // do the same for second question mark
    $statement->bindParam(2, sha1($_POST['wachtwoord']));
    // execute this prepared statement with binded values
    $statement->execute();
    // fetch row from the result in the form of associated array
    if(($row = $statement->fetch(PDO::FETCH_ASSOC))){
        $_SESSION['gebruiker'] = $row['voornaam'];
        header("location: dashboard.php");
    }
    // free statement memory
    $statement = null;
}

注意:代码未经过测试。

编辑,添加说明: 使用PDO时,您应该使用它来处理查询和数据库。使用任何mysql_ *函数都不是最佳方法。

答案 1 :(得分:1)

  • 首先,确定您需要哪种类型的错误处理。 PDO默认为PDO::ERRMODE_SILENT,这意味着您不会收到任何错误。我建议您使用PDO::ERRMODE_EXCEPTION,这意味着您需要使用代码周围的try { ... } catch() { ... }块。

  • 其次,当您使用PDO时,您无法使用mysql_*功能。因此使用mysql_real_escape_string是不正确的。此外,因为您使用预准备语句,所以根本不需要任何SQL注入保护。但您需要使用param binding

  • 第7行还有一些mysql_query ...

  • PDO没有mysql_num_rows功能的内置版本。您应该在查询中添加COUNT(*)语句。另请参阅this answer

答案 2 :(得分:0)

function checkLoginPDO(){
$connect = new PDO(host, username, password); // Database Connectie maken (De host, username & password zijn in de config.php aan te passen)
$sql = "SELECT * FROM users 
      WHERE gebruikersnaam=:gebruikersnaam
      AND wachtwoord = :wachtwoord"; 
$value = $connect->prepare($sql);
$value->bind(':gebruikersnaam',$_POST['gebruikersnaam']);
$value->bind(':wachtwoord',sha1($_POST['wachtwoord']));
$value->execute();
$data = $value->fetchAll();
if(count($data) > 0){
    $_SESSION['gebruiker'] = $data[0]['voornaam'];
    header("location: dashboard.php");
}

}

答案 3 :(得分:0)

登录功能现在可以创造奇迹!多谢你们! 我刚刚完成了我的图像上传脚本,它将文件名写入数据库。 它有效,但是从sql-injection这样的东西安全吗?

我目前正在研究我的上一个研究项目,其中安全性是一个大问题。 如果我能够关闭一个共同的安全CMS,我会获得程序员的学位:)

这是功能:

function uploadImage() {
    $dir = $_SERVER['DOCUMENT_ROOT'] . 'pvb/upload/';
    $allowedExts = array("jpg", "jpeg", "gif", "png");
    $extension = end(explode(".", $_FILES["file"]["name"]));
    if ((($_FILES["file"]["type"] == "image/gif")
            || ($_FILES["file"]["type"] == "image/jpeg")
            || ($_FILES["file"]["type"] == "image/png")
            || ($_FILES["file"]["type"] == "image/pjpeg"))
            && ($_FILES["file"]["size"] < 2000000)
            && in_array($extension, $allowedExts)) {
        if ($_FILES["file"]["error"] > 0) {
            echo "Return Code: " . $_FILES["file"]["error"] . "<br>";
        } else {
            if (file_exists($dir . $_FILES["file"]["name"])) {
                echo $_FILES["file"]["name"] . " already exists. ";
            } else {
                move_uploaded_file($_FILES["file"]["tmp_name"], $dir . $_FILES["file"]["name"]);
                $this->createThumbs($dir, $dir . "thumbs/", 100);

                $connect = new PDO(host, username, password); // Database Connectie maken (De host, username & password zijn in de config.php aan te passen)
                $sql = "INSERT INTO afbeeldingen (img_naam) VALUES (:naam)";
                $value = $connect->prepare($sql);
                $value->bindValue(":naam", $_FILES['file']['name'], PDO::PARAM_STR);
                $value->execute();
                $connect = null;
            }
        }
    } else {
        echo "Invalid file";
    }
}