我准备好的陈述有什么问题?如何设置它的两个值?最后mysqli_stmt_bind_param()可以处理多少个参数?
$username = mysqli_real_escape_string($connection, $_POST['username']);
$password = mysqli_real_escape_string($connection, $_POST['password']);
$sql = mysqli_prepare($connection, "SELECT username FROM admin WHERE username = ? AND password = ?");
mysqli_stmt_bind_param($sql, 's', $username);
mysqli_stmt_bind_param($sql, 's', $password);
mysqli_stmt_execute($sql);
$count = mysqli_num_rows($sql);
if($count == 1)
{
$_SESSION['login_user'] = $username;
header("Location: AdminHome.php");
exit;
}
else
{
$msg='Username and Password didnt match';
}
mysqli_stmt_close($sql);
mysqli_close($connection);
答案 0 :(得分:4)
您需要一次绑定所有参数(它可以处理许多参数):
$sql = mysqli_prepare($connection, "SELECT username FROM admin WHERE username = ? AND password = ?");
mysqli_stmt_bind_param($sql, 'ss', $username, $password);
顺便说一句,您不应该在数据库中存储密码,而是使用哈希值,然后使用password_verify检查密码:http://php.net/manual/en/function.password-verify.php
此外,您不需要首先逃避字符串:Is mysql_real_escape_string() necessary when using prepared statements?
最后,您需要重写几行:
mysqli_stmt_execute($sql);
$result = mysqli_stmt_get_result($sql);
$count = mysqli_num_rows($result);