我正在尝试检查myusername和mypassword是否在数据库中,以及是否打印结果。如果结果与数据库中的内容相匹配,我无法返回并显示结果,有人可以协助吗?
// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
//echo $myusername;
//echo $mypassword;
$stmt = $db->prepare('SELECT * FROM ADMIN_LOGIN WHERE USERNAME = $myusername AND PASSWORD = $mypassword');
//var_dump($stmt->readOnly()); // -> true
答案 0 :(得分:1)
您没有正确使用预准备语句。准备好的语句通过首先向服务器发送查询内容然后发送参数来工作。这样,服务器就无法被利用,因为查询结构“阶段”已经完成。
$sql = "SELECT * FROM ADMIN_LOGIN WHERE USERNAME = ? AND PASSWORD = ? LIMIT 1"
$sth = $dbh->prepare($sql);
$sth->execute(array($_POST['username'], $_POST['password']));
$res = $sth->fetch();
答案 1 :(得分:-1)
将代码重写为:
$result = $db->query("SELECT * FROM ADMIN_LOGIN WHERE USERNAME = '$myusername' AND PASSWORD = '$mypassword'");
while ($row = $result->fetchArray()) {
print $row["USERNAME"] . "\n";
print $row["PASSWORD"] . "\n";
}