usercheck的参数化查询

时间:2017-03-11 09:26:55

标签: php mysql mysqli parameterized-query

我是参与查询的新手。请在usercheck中帮助这个。我正在给我的程序。我想使用参数化查询使用我的数据库登录页面。请帮助我。谢谢你提前

<html>

<form name="usercheck" method="post" action="newuser.php">
    username: <input type="text" name="uname"> <br><br>
    password:<input type="password" name="pswd"><br><br>
    <input type="submit" value="Login">
</form>

<?php

session_start();

if (isset($_post['uname'])) {

    $uname = $_post['uname'];
    $pswd = $_post["pswd"];

    $con = mysqli_connect("localhost", "root", "happy123$", "cbanktb");
    $query = "select * FROM banktable where username=? and password=?";
    $stmt = mysqli_prepare($con, $query);
    If ($stmt) {

        mysqli_stmt_bind_param($stmt, "s", $uname, $pswd);
        mysqli_stmt_bind_result($stmt, $dbusername, $dbpassword);
        mysqli_stmt_execute($stmt);
        mysqli_stmt_fetch($stmt);

        #$result=mysqli_query($con,"select * from banktable where acno='$aid'");

        #$row = mysqli_fetch_row($result);

        #echo $row[0]." ".$row[1]." ".$row[2]." ".$row[3]." ".$row[4];
        #$balance=$row[3];
        echo "You are logged in";
    } else {
        echo "You are not $dbusername";
    }
}

?>

</html>

1 个答案:

答案 0 :(得分:1)

使用参数化mysqli_* prepare statement Or PDO

    <html>

    <form name="usercheck" method="post" action="newuser.php">
        username: <input type="text" name="uname"> <br><br>
        password:<input type="password" name="pswd"><br><br>
        <input type="submit" value="Login" name="form_submit" >
    </form>

    <?php

    session_start();

    if (isset($_post['form_submit'])) {

         $uname = $_post['uname'];
         $pswd = $_post["pswd"];

         $con = mysqli_connect("localhost", "root", "happy123$", "cbanktb") or die("Connection failed: " . mysqli_connect_error());

         $query = "select * FROM banktable where username=? and password=?";

         $stmt =  $con->prepare($query);
         $stmt->bind_param('ss',$uname,$pswd);

          The argument may be one of four types:

            i - integer
            d - double
            s - string
            b - BLOB
            //change it by respectively 

         $stmt->execute();
         $row_count= $stmt->affected_rows;
         $stmt->close();
         $con->close();

         if($row_count>0)
          {

             echo "successfully logged in";

             //setting session here 
          }
          else
          {
            echo "Login failed";

          }

    }

    ?>

    </html>