只需从mysql_转换为PDO。当然会出现一些错误。
<?php
ob_start();
session_start();
include("php/connect.php");
if ($_POST['submit']){
$username = $db -> prepare($_POST['username']);
$password = $db -> prepare($_POST['password']);
if($username){
if($password){
$password = md5(md5("KmsdufIFNKSnefndbdo19228330293".$password."JSDSHBFJS8S8ds8sd8s8d"));
$query = $db -> query("SELECT * FROM user WHERE username='$username'");
$num_rows = $db -> rowCount($query);
if ($num_rows == 1){
$row = $query -> fetch(PDO::FETCH_ASSOC);
$db_username = $row['username'];
$db_password = $row['password'];
if ($password == $db_password){
$_SESSION['username'] = $username;
}else
$div = "<div id='error'>Passwordi eshte gabim</div>";
}else
$div = "<div id='error'>Emri nuk u gjend</div>";
}else
$div = "<div id='error'>Futeni Passwordin</div>";
}else
$div= "<div id='error'>Futeni emrin e llogarise</div>";
}
?>
答案 0 :(得分:1)
pdo::prepare不是mysql_real_escape_string的替代品。它解析sql语句(或让底层数据库系统完成这项工作,参见PDO::ATTR_EMULATE_PREPARES),查找在执行语句时被实际参数替换的占位符。
$stmt = $db->prepare('SELECT * FROM user WHERE username=?');
// $stmt now "is" the identifier for the previously prepared statement
// it can be executed but needs one parameter to fill out the placeholder
$stmt->execute( array($_POST['username']) );
// it could be executed again with another parameter
// $stmt->execute( array('Foo') );
$row = $stmt->fetch(PDO::FETCH_ASSOC);
if ( !$row ) {
// no such user
}
else {
....
另见:
答案 1 :(得分:0)
查看prepare方法(http://de3.php.net/manual/en/pdo.prepare.php)。你错了。你已经在那里插入你的陈述。
并且:请使用预准备语句,而不是直接(未经过无限制)变量输入。
我认为,PHP手册是一个很好的起点。
答案 2 :(得分:0)
您需要用于PDO的格式(基于您尝试执行的操作)是:
$sql = 'SELECT query here .......';
$stmt = $db->prepare($sql);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
if ($result) {
.
.
.
}