我的sql num行返回0

时间:2013-12-09 14:23:21

标签: php mysql sql

我检查了所有变量。所有这些都包含正确的数据。但是,当我调用mysql_num_rows()时,它返回NULL而不是1.所以我的登录脚本说错误的用户和密码,当它们实际上是正确的时。

<?php
ini_set('display_errors', 'On');
error_reporting(E_ALL | E_STRICT);

ob_start();
$host="mywebsite.it"; // Host name
$username="whateveruser"; // Mysql username
$password="whateverpassword"; // Mysql password
$db_name="whateverdb"; // Database name
$tbl_name="whatevertable"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
print "$db_name\n";/*These is correct*/
print "$tbl_name\n";/*These is correct*/
// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];


/*To protect MySQL injection*/
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);
print "\n$result"; /*These is correct*/
// Mysql_num_row is counting table row
$count = mysql_num_rows($result); /*This isn't actually returning 1*/
echo '<pre>'; var_dump($count); echo '</pre>';


// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){

// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("Location:Target.php");
}
else {

echo "Wrong Username or Password";    /*my script always goes here*/
}

ob_end_flush();
?>

1 个答案:

答案 0 :(得分:0)

这看起来应该有效。但是,请停止使用mysql_ *函数。它们已被弃用,存在许多安全问题。

相反,我强烈建议您使用支持PDO等本机编码的库。 (http://www.php.net/manual/en/class.pdo.php)具体来说,我建议您使用预准备语句。 (http://www.php.net/manual/en/pdo.prepare.php

我在下面提供了一个简单的例子。

这是一个快速连接功能:

<?php

function connectToDb($dbms, $host, $port, $username, $password) {
    $dsn = sprintf('%s:host=%s;port=%d', $dbms, $host, $port);

    $attributes = array(
        PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION
    );  

    // Wrap PDO instantiation in a try->catch so credentials don't end up in
    // stack traces

    try {
        $connection = new PDO(
            $dsn, $username, $password, $attributes
        );  
    } catch (Exception $exception) {
        throw new Exception($exception->getMessage());
    }   

    return $connection;
}

以下是如何使用它的快速示例:

// Connect to the database

$connection = connectToDb(
    'mysql', 'localhost', '3306', 'bryan', ''
);

// Prepare the statement with parameters we can bind user input to
// These parameters will be properyly encoded to prevent SQL injection

$statement = $connection->prepare(
    'SELECT user,password FROM mysql.user WHERE user = :username'
);

// Perform the search with the user-supplied data
// We'll pretend here with $usernameSearch 

$usernameSearch = 'bryan';

$statement->execute(
    array(':username' => $usernameSearch)
);

// Get the result set row count

$rowCount = $statement->rowCount();

// Do What you need to do

if ($rowCount > 0) {
    // Fetch a row
    $result = $statement->fetch(PDO::FETCH_ASSOC);
    printf("Found a record for %s!\n", $result['user']);
} else {
    echo "No record found!\n";
}