Question

我正在尝试在登录功能上使用预准备语句，以防止使用以下代码进行SQL注入：

    function login($email, $password, $mysqli)
        {
            // Using prepared statements means that SQL injection is not possible. 
            if ($stmt = $mysqli->prepare("SELECT id, username, password, salt, phnumber, realname, age, sex FROM members WHERE email = ? LIMIT 1")) {

                $stmt->bind_param('s', $email);  // Bind "$email" to parameter.
                $stmt->execute();    // Execute the prepared query.
                $stmt->store_result();

                // get variables from result.
                $stmt->bind_result($user_id, $username, $db_password, $salt, $phnumber, $realname, $age, $sex);
                $stmt->fetch();
                 }
         }

然后是密码部分工作正常。然后我创建了一个test.php页面并将此代码放入其中：

print_r($_SESSION);

仅打印$user_id，$username和password。我记不起$email或其他数据，我做错了什么？

Answer 1

从函数变量中删除mysqli变量，并仅使用全局$ mysqli。

此外，您不会将查询中返回的值保存到会话变量或数组中。

会话变量的结果：

$mysqli = new MySQLi("$dbhost", "$dbuser", "$dbpass", "$db");

function login($email, $password){
    global $mysqli;
    if ($stmt = $mysqli->prepare("SELECT id, username, password, salt, phnumber, realname, age, sex FROM members WHERE email = ? LIMIT 1")) {
        $stmt->bind_param('s', $email);  // Bind "$email" to parameter.
        $stmt->execute();    // Execute the prepared query.
        $stmt->store_result()
        $stmt->bind_result($user_id, $username, $db_password, $salt, $phnumber, $realname, $age, $sex);
        $stmt->fetch()
        $_SESSION['user_id'] = $user_id;
        $_SESSION['username'] = $username;
        $_SESSION['db_password'] = $db_password;
        $_SESSION['salt'] = $salt;
        $_SESSION['phnumber'] = $phnumber;
        $_SESSION['realname'] = $realname;
        $_SESSION['age'] = $age;
        $_SESSION['sex'] = $sex;

    }
}

结果到数组：

$mysqli = new MySQLi("$dbhost", "$dbuser", "$dbpass", "$db");

function login($email, $password){
    global $mysqli;
    if ($stmt = $mysqli->prepare("SELECT id, username, password, salt, phnumber, realname, age, sex FROM members WHERE email = ? LIMIT 1")) {
         $stmt->bind_param('s', $email);  // Bind "email" to parameter.
        $stmt->execute();    // Execute the prepared query.
        $stmt->store_result()
        $stmt->bind_result($user_id, $username, $db_password, $salt, $phnumber, $realname, $age, $sex);
        $stmt->fetch()
        $userdata['user_id'] = $user_id;
        $userdata['username'] = $username;
        $userdata['db_password'] = $db_password;
        $userdata['salt'] = $salt;
        $userdata['phnumber'] = $phnumber;
        $userdata['realname'] = $realname;
        $userdata['age'] = $age;
        $userdata['sex'] = $sex;

    }
    return $userdata;
}

如果您的电子邮件值为空，则查询将永远不会起作用，因此首先您需要查看电子邮件变量是否正确传递给该函数。暂时用此代码替换该函数（在test.php页面中）

function login($email, $password){
    echo $email;
    return $email;
}
echo login($email, $password);

如果没有显示任何结果，您应该首先找到原因。如果确实显示结果，请直接测试SQL查询（使用PHPMyAdmin等...）或MySQL CLI。

Answer 2

if ($stmt = $mysqli->prepare("SELECT id, username, password, salt, phnumber, realname, age, sex, email FROM members WHERE email = ? LIMIT 1")) {

        $stmt->bind_param('s', $email);  // Bind "$email" to parameter.
        $stmt->execute();    // Execute the prepared query.
        $stmt->store_result();

        // get variables from result.
        $stmt->bind_result($user_id, $username, $db_password, $salt, $phnumber, $realname, $age, $sex, $email);
        $stmt->fetch();
        $_SESSION["userId"] = $user_id;
        $_SESSION["userName"] = $username;
        $_SESSION["realname"] = $user_id;
        $_SESSION["email"] = $email;

无法从数据库中选择

2 个答案: