所以,我正在尝试将PDO用于登录表单以防止MYSQL注入,并且我遇到了一个问题。虽然之前我使用过这样的代码:
$fuser = $_POST['fusername'];
$fpass = $_POST['fpassword'];
$query = "SELECT * FROM person WHERE username='$fuser' AND password='$fpass'";
$result = mysql_query($query);
$num = mysql_num_rows($result);
if ($num==1) {
$row = mysql_fetch_array($result);
extract($row);
$_SESSION['auth'] = "yes";
$_SESSION['uname'] = $fuser;
$_SESSION['lev'] = $accesslevel;
我现在正尝试使用PDO执行此操作(忽略变量名称中的更改)
$loginemail = $_POST['lemail'];
$loginpass = $_POST[('lpassword')];
$loginpass = sha1($loginpass);
$query = $hsdbc->prepare('SELECT * FROM user WHERE email =
:loginemail and password = :loginpass');
$query->bindParam(':loginemail', $loginemail, PDO::PARAM_STR, 75);
$query->bindParam(':loginpass', $loginpass, PDO::PARAM_STR, 255);
$query->execute();
if ($query->rowCount() == 1 ){
但是,我不确定如何分配会话变量的最后一部分。我已经研究了fetch并且可能认为FETCH_CLASS可能是答案,但我不确定
答案 0 :(得分:0)
首先, NOT 使用extract
,是否容易出错并且容易出错。
其次,你错过了提取部分:
if ($query->rowCount() == 1 ){
$data = $query->fetch(PDO::FETCH_ASSOC);
$_SESSION['auth'] = "yes";
$_SESSION['uname'] = $data['fuser'];
$_SESSION['lev'] = $data['access_level'];
}