对PHP来说还是比较新的,所以我可能会在这里犯一些容易出错的错误。
以下代码会引发警告:
Warning: mysqli_stmt_bind_param() expects parameter 1 to be mysqli_stmt, boolean given in /home/unn_w14017307/public_html/Assignment3/JakeUploads/11March/logonProcess.php on line 87
Warning: mysqli_stmt_execute() expects parameter 1 to be mysqli_stmt, boolean given in /home/unn_w14017307/public_html/Assignment3/JakeUploads/11March/logonProcess.php on line 88
Warning: mysqli_stmt_store_result() expects parameter 1 to be mysqli_stmt, boolean given in /home/unn_w14017307/public_html/Assignment3/JakeUploads/11March/logonProcess.php on line 89
Warning: mysqli_stmt_bind_result() expects parameter 1 to be mysqli_stmt, boolean given in /home/unn_w14017307/public_html/Assignment3/JakeUploads/11March/logonProcess.php on line 90
我认为这与我执行的第一个查询有关,因为第一个查询正常,然后第二个抛出这些错误。
不是连接问题,因为$ conn适用于第一个查询。
以下是代码:
<?php
$username = filter_has_var(INPUT_POST, 'username') ? $_POST['username']: null;
$password = filter_has_var(INPUT_POST, 'password') ? $_POST['password']: null;
include 'database_conn.php'; // make db connection
/* Query the users database table to get the password hash for the username entered by the user in the logon form */
$sql = "SELECT password FROM Users WHERE username = ?";
$typeSql = "SELECT type FROM Users WHERE username = $username";
$stmt = mysqli_prepare($conn, $sql); // prepare the sql statement
/* Bind the $username entered by the user to the prepared statement. Note the “s” part indicates the data type used – in this case a string */
mysqli_stmt_bind_param($stmt, "s", $username);
mysqli_stmt_execute($stmt); // execute the query
mysqli_stmt_store_result($stmt); //store result so second query can be used
/* Get the password hash from the query results for the given username and store it in the variable indicated */
mysqli_stmt_bind_result($stmt, $returnedPass);
/* Check if a record was returned by the query. If yes, then there was a username matching what was entered in the logon form and we can now test to see if the password entered in the logon form is the same as the stored (correct) one in the database. */
if (mysqli_stmt_fetch($stmt)) {
if($password === $returnedPass)
{
mysqli_stmt_close($stmt);
$stmt = mysqli_prepare($conn, $typeSql);
mysqli_stmt_bind_param($stmt, "s", $username);
mysqli_stmt_execute($stmt);
mysqli_stmt_store_result($stmt);
mysqli_stmt_bind_result($stmt, $accountType);
$_SESSION['uName'] = $username;
$_SESSION['logged-in'] = true;
$_SESSION['type'] = $type;
echo "<p>Password valid</p>";
echo "<p>Username: $username</p>";
echo "<p>Account type: $type</p>";
}
else
{
echo "<p>Password invalid</p>";
}
}
else {
echo "<p>Sorry we don't seem to have that username.</p>";
}
mysqli_stmt_close($stmt);
mysqli_close($conn);
?>
答案 0 :(得分:1)
罪魁祸首是mysqli只能将参数绑定到?
。
$sql = "SELECT password FROM Users WHERE username = ?";
$typeSql = "SELECT type FROM Users WHERE username = ?";
但是,您应该只准备一次:
if(! $typestmt = mysqli_prepare($conn, $typeSql)){
die('error in sql syntax');
}
if (mysqli_stmt_fetch($stmt)) {
if($password === $returnedPass)
{
mysqli_stmt_bind_param($typestmt, "s", $username);
mysqli_stmt_execute($typestmt);
mysqli_stmt_store_result($typestmt);
mysqli_stmt_bind_result($typestmt, $accountType);
}
}
在旁注上,@Fred表示存储纯文本密码并不安全。
使用password_hash()
生成哈希,将其存储为密码并检索该值,并使用password_verify()
将存储在数据库中的哈希值与用户提供的值一起验证登录。
另一点是您可以将查询与此结合起来:
SELECT password, type FROM Users WHERE username = ?
但是为了安全登录,我会做类似的事情:
SELECT id FROM users WHERE username = ? AND password = ?"