在我的代码中我试图将mysql_real_escape_string翻译成PDO语句。有人在如何在PDO中编写mysql_real_escape_string吗?
我在两行中使用mysql_real_escape_string: $ userName = mysql_real_escape_string($ _ POST ['username']); $ password = sha1(mysql_real_escape_string($ _ POST ['password']));
<?php
ob_start();
session_start();
include("../database/db.php");
$userName = mysql_real_escape_string($_POST['username']);
$password = sha1(mysql_real_escape_string($_POST['password']));
echo "<br>user: " . $userName;
echo "<br> pw: " . $password;
$query = "select * from tbladmin where admin_usr_name='$userName' and admin_pwd='$password'";
$res = mysql_query($query);
// $rows = $res->fetch(PDO::FETCH_ASSOC);
$rows = mysql_fetch_assoc($res);
echo "<br>numrows" . mysql_num_rows($res) . "<br>";
// $find = $query->prepare("select * from tbladmin where admin_usr_name='$userName' and admin_pwd='$password'");
// $find->execute();
// if ($find->fetchColumn() > 0)
// {
// echo 'You made it, welcome';
// $_SESSION['userName'] = $rows['admin_usr_name'];
// $_SESSION['admin_id'] = $rows['admin_id'];
// header("location: ../pages/content.php");
// }
// else
// {
// echo 'Username and password dont match <br/> Try again';
// header("location: ../index.php?loginerror=yes");
// }
if(mysql_num_rows($res)>0)
{
$_SESSION['userName'] = $rows['admin_usr_name'];
$_SESSION['admin_id'] = $rows['admin_id'];
header("location: ../pages/content.php");
}
else
{
echo 'Username and password dont match <br/> Try again';
header("location: ../index.php?loginerror=yes");
}
&GT;
这就是我试图用PDO做的事情
$host = "localhost";
$user = "root";
$password = "root";
$db = "blog";
$dsn = "mysql:host=$host;dbname=$db;charset=utf8";
$opt = array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC);
$pdo = new PDO($dsn,$user,$password, $opt);
$username = $_POST['username'];
$password = $_POST['password'];
$query = "select * from tbladmin where admin_usr_name=:userName and admin_pwd=:passWord";
try
{
$databas = new PDO($dsn, $user, $password);
}
catch (PDOException $e)
{
echo 'Connection failed: ' . $e->getMessage();
}
$statement = $databas->prepare($query);
$statement->execute(array(':userName'=>$username, ':passWord'=> $password));
$row = $statement->fetch();
我总是收到此错误: 在非对象上调用成员函数prepare()
答案 0 :(得分:7)
关键是使用带参数化查询和绑定值的预准备语句,您不需要mysql_real_escape_string
等内容。
查看PDO documentation如何使用绑定值和参数化查询/预准备语句。
关键是你要编写一个SQL查询:
$query = $pdo->prepare("SELECT * FROM users WHERE username = ? and password = ?");
然后你会传入绑定值代替?符号,因此查询只是按字面意思运行:
$query->bindParam(1, $username);
$query->bindParam(2, $password);
上面变量中的任何类型的SQL注入尝试(例如1'; DROP users --
)将不再起作用,因为它将按字面意思调用。
答案 1 :(得分:3)
您不需要在PDO中。至少,你很少需要。
答案 2 :(得分:1)
如前所述,您不必使用转义...因为通过绑定值来更安全地处理?或在sql语句中使用冒号命名
我会做这样的事情:
<?php
$username = $_POST['username'];
$password = $_POST['password'];
$query = "select * from tbladmin where admin_usr_name=:userName and admin_pwd=:passWord";
try {
$db = new PDO($dsn, $un, $pw);
} catch (PDOException $e) {
echo 'Connection failed: ' . $e->getMessage();
}
$statement = $db->prepare($query);
//:userName and :passWord is set when actually executing the query
$statement->execute(array(':userName'=>$username, ':passWord'=> $password));
$row = $statement->fetch();
?>
请注意,fetch()只返回一行(resultset中的下一行)。如果要访问整个记录集,可以通过两种方式执行此操作:
while() { }
或 $rows = $statement->fetchAll();
并循环遍历数组$ rows 将选项1与较大的结果集一起使用。
使用带有次要结果集的选项2(并且您知道它不会增长太多)
考虑是否应该设置PDO :: ATTR_EMULATE_PREPARES的属性。有关此内容的更多信息:PDO MySQL: Use PDO::ATTR_EMULATE_PREPARES or not?