我在制作SESSION期间使用PDO时遇到问题。这是我的mysqli编码,使一个没有任何问题的SESSION。
if (isset($_POST['submit']))
{
$idno = trim(addslashes($_POST['idno']));
$password = trim(addslashes($_POST['password']));
if ($idno != '' && $password != '')
{
include ("includes/db.php");
$sql1 = "SELECT member_id, member_level, member_status FROM member
WHERE member_id = '$idno' AND member_pass = '$password'";
$result1 = mysqli_query($con,$sql1) or die('Query failed. ' . mysqli_error());
$row1 = mysqli_fetch_array($result1, MYSQL_ASSOC);
$sql2 = "SELECT advisor_id, advisor_status FROM advisor
WHERE advisor_id = '$idno' AND advisor_pass = '$password'";
$result2 = mysqli_query($con,$sql2) or die('Query failed. ' . mysqli_error());
$row2 = mysqli_fetch_array($result2, MYSQL_ASSOC);
$sql3 = "SELECT mpp_id, mpp_status FROM mpp
WHERE mpp_id = '$idno' AND mpp_pass = '$password'";
$result3 = mysqli_query($con,$sql3) or die('Query failed. ' . mysqli_error());
$row3 = mysqli_fetch_array($result3, MYSQL_ASSOC);
$sql4 = "SELECT hep_id FROM hep
WHERE hep_id = '$idno' AND hep_pass = '$password'";
$result4 = mysqli_query($con,$sql4) or die('Query failed. ' . mysqli_error());
$row4 = mysqli_fetch_array($result4, MYSQL_ASSOC);
if (mysqli_num_rows($result1) == 1)
{
$_SESSION['idno'] = $row1['member_id'];
$_SESSION['level'] = $row1['member_level'];
$status=$row1['member_status'];
if($status == 'Active')
{
if($_SESSION['level'] =='1')
{
echo("<SCRIPT language='javascript'>
window.alert('Login Successful, Welcome Club Member!!');
window.location='~/../member/index.php?member_id=$idno' ;
</SCRIPT>");
}
else if($_SESSION['level'] =='2')
{
echo("<SCRIPT language='javascript'>
window.alert('Login Successful, Welcome Committee!!');
window.location='~/../committee/index.php?member_id=$idno' ;
</SCRIPT>");
}
}
else
{ echo("<SCRIPT language='javascript'>
window.alert('Login Unsuccessful, Your status is currently inactive!!');
</SCRIPT>");}
}
else if(mysqli_num_rows($result2) == 1)
{
$_SESSION['idno'] = $row2['advisor_id'];
$status=$row2['advisor_status'];
if($status == 'Active')
{
echo("<SCRIPT language='javascript'>
window.alert('Login Successful, Welcome Advisor!!!');
window.location='~/../clubadvisor/index.php';
</SCRIPT>");
}
else
{echo("<SCRIPT language='javascript'>
window.alert('Login Unsuccessful, Your status is currently inactive!!');
</SCRIPT>");}
}
else if(mysqli_num_rows($result3) == 1)
{
$_SESSION['idno'] = $row3['mpp_id'];
$status=$row3['mpp_status'];
if($status == 'Active')
{echo("<SCRIPT language='javascript'>
window.alert('Login Successful, Welcome MPP!!!');
window.location='~/../mpp/index.php?mpp_id=$idno';
</SCRIPT>");
}
else
{echo("<SCRIPT language='javascript'>
window.alert('Login Unsuccessful, Your status is currently inactive!!');
</SCRIPT>");}
}
else if(mysqli_num_rows($result4) == 1)
{
$_SESSION['idno'] = $row4['hep_id'];
echo("<SCRIPT language='javascript'>
window.alert('Login Successful, Welcome HEP Staff!!!');
window.location='~/../hep/index.php?hep_id=$idno';
</SCRIPT>");
}
}
}
?>'
我想让系统更安全,这就是我选择使用PDO而不是mysqli的原因。但是我在PDO世界中太新了,因为PDO必须有很多特殊的语法。
请帮我把这个编码转换成PDO风格。只有某一部分对我来说已经足够学习PDO了。
答案 0 :(得分:0)
为了帮助您,我只转换一个SQL查询,您可以从中学习(不要复制粘贴)。
PDO很有趣,充满了我还在学习的功能。
此外,我发现您的代码即使使用mysqli_*也不安全,因为您没有使用预先准备好的语句,而只是直接将变量值绑定在您真正不喜欢的SQL旁边。必须切换到PDO,您也可以使用mysqli_*准备好的语句。
但是PDO与mysqli_*相比具有全球性,无论如何,这是您想要的小帮助。
你的代码。
$sql1 = "SELECT member_id, member_level, member_status FROM member WHERE member_id = '$idno' AND member_pass = '$password'";
$result1 = mysqli_query($con,$sql1) or die('Query failed. ' . Mysqli_error());
$row1 = mysqli_fetch_array($result1, MYSQL_ASSOC);
我的代码,
$sql1 = "SELECT member_id, member_level, member_status FROM member WHERE member_id = :idno AND member_pass = :password";
$sql1Query = $con -> prepare($sql1);
$sql1Query -> bindParam(':idno', $_REQUEST["idno"]);
$sql1Query -> bindParam(':password', $_REQUEST["password"]);
$sql1Query -> execute();
$$sql1Row = $$sql1Query -> fetch(PDO::FETCH_ASSOC);
使用prepare语句将帮助您更好地保护代码,因此我建议您阅读有关使用预准备语句的更多信息。
答案 1 :(得分:0)
使用此$result1 =$conn->exec($sql1); $result1 = mysqli_query($con,$sql1);
并使用
$row1 = $result1->fetch(PDO::FETCH_ASSOC)
哪里
$row1 = mysqli_fetch_array($result1, MYSQL_ASSOC);