我正在尝试在登录功能上使用预准备语句,以防止使用以下代码进行SQL注入:
function login($email, $password, $mysqli)
{
// Using prepared statements means that SQL injection is not possible.
if ($stmt = $mysqli->prepare("SELECT id, username, password, salt, phnumber, realname, age, sex FROM members WHERE email = ? LIMIT 1")) {
$stmt->bind_param('s', $email); // Bind "$email" to parameter.
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
// get variables from result.
$stmt->bind_result($user_id, $username, $db_password, $salt, $phnumber, $realname, $age, $sex);
$stmt->fetch();
}
}
然后是密码部分工作正常。 然后我创建了一个test.php页面并将此代码放入其中:
print_r($_SESSION);
仅打印$user_id,$username和password。
我记不起$email或其他数据,我做错了什么?
答案 0 :(得分:1)
从函数变量中删除mysqli变量,并仅使用全局$ mysqli。
此外,您不会将查询中返回的值保存到会话变量或数组中。
会话变量的结果:
$mysqli = new MySQLi("$dbhost", "$dbuser", "$dbpass", "$db");
function login($email, $password){
global $mysqli;
if ($stmt = $mysqli->prepare("SELECT id, username, password, salt, phnumber, realname, age, sex FROM members WHERE email = ? LIMIT 1")) {
$stmt->bind_param('s', $email); // Bind "$email" to parameter.
$stmt->execute(); // Execute the prepared query.
$stmt->store_result()
$stmt->bind_result($user_id, $username, $db_password, $salt, $phnumber, $realname, $age, $sex);
$stmt->fetch()
$_SESSION['user_id'] = $user_id;
$_SESSION['username'] = $username;
$_SESSION['db_password'] = $db_password;
$_SESSION['salt'] = $salt;
$_SESSION['phnumber'] = $phnumber;
$_SESSION['realname'] = $realname;
$_SESSION['age'] = $age;
$_SESSION['sex'] = $sex;
}
}
结果到数组:
$mysqli = new MySQLi("$dbhost", "$dbuser", "$dbpass", "$db");
function login($email, $password){
global $mysqli;
if ($stmt = $mysqli->prepare("SELECT id, username, password, salt, phnumber, realname, age, sex FROM members WHERE email = ? LIMIT 1")) {
$stmt->bind_param('s', $email); // Bind "email" to parameter.
$stmt->execute(); // Execute the prepared query.
$stmt->store_result()
$stmt->bind_result($user_id, $username, $db_password, $salt, $phnumber, $realname, $age, $sex);
$stmt->fetch()
$userdata['user_id'] = $user_id;
$userdata['username'] = $username;
$userdata['db_password'] = $db_password;
$userdata['salt'] = $salt;
$userdata['phnumber'] = $phnumber;
$userdata['realname'] = $realname;
$userdata['age'] = $age;
$userdata['sex'] = $sex;
}
return $userdata;
}
如果您的电子邮件值为空,则查询将永远不会起作用,因此首先您需要查看电子邮件变量是否正确传递给该函数。暂时用此代码替换该函数(在test.php页面中)
function login($email, $password){
echo $email;
return $email;
}
echo login($email, $password);
如果没有显示任何结果,您应该首先找到原因。如果确实显示结果,请直接测试SQL查询(使用PHPMyAdmin等...)或MySQL CLI。
答案 1 :(得分:0)
if ($stmt = $mysqli->prepare("SELECT id, username, password, salt, phnumber, realname, age, sex, email FROM members WHERE email = ? LIMIT 1")) {
$stmt->bind_param('s', $email); // Bind "$email" to parameter.
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
// get variables from result.
$stmt->bind_result($user_id, $username, $db_password, $salt, $phnumber, $realname, $age, $sex, $email);
$stmt->fetch();
$_SESSION["userId"] = $user_id;
$_SESSION["userName"] = $username;
$_SESSION["realname"] = $user_id;
$_SESSION["email"] = $email;