Question

我有这个网址，

http://webworks.net/ww.incs/forgotten-password-verification.php?verification_code=974bf747124c69f12ae3b36afcaccc68&email=myemail@gmail.com&redirect=/ww.admin/index.php

这会产生以下错误。

Fatal error: Call to a member function fetch() on a non-object in
/var/www/webworks/ww.incs/basics.php on line 23 
Call Stack: 0.0005 338372 1. {main}() 
/var/www/webworks/ww.incs/forgotten-password-verification.php:
0 0.0020 363796 2. dbRow() 
/var/www/webworks/ww.incs/forgotten-password-verification.php:18

遗忘密码验证.php

require 'login-libs.php';

login_check_is_email_provided();

// check that a verification code was provided
if(
 !isset($_REQUEST['verification_code']) || $_REQUEST['verification_code']==''
){
 login_redirect($url,'novalidation');
}

// check that the email/verification code combination matches a row in the user table
// $password=md5($_REQUEST['email'].'|'.$_REQUEST['password']);
$r=dbRow('select * from user_accounts where
 email="'.addslashes($_REQUEST['email']).'" and
 verification_code="'.$_REQUEST['verification_code'].'" and active'
);
if($r==false){
 login_redirect($url,'validationfailed');
}

// success! set the session variable, then redirect
$_SESSION['userdata']=$r;
$groups=json_decode($r['groups']);
$_SESSION['userdata']['groups']=array();
foreach($groups as $g)$_SESSION['userdata']['groups'][$g]=true;
if($r['extras']=='')$r['extras']='[]';
$_SESSION['userdata']['extras']=json_decode($r['extras']);

login_redirect($url);

并登录libs，

require 'basics.php';

$url='/';
$err=0;

function login_redirect($url,$msg='success'){
 if($msg)$url.='?login_msg='.$msg;
 header('Location: '.$url);
 echo '<a href="'.htmlspecialchars($url).'">redirect</a>';
 exit;
}

// set up the redirect
if(isset($_REQUEST['redirect'])){
 $url=preg_replace('/[\?\&].*/','',$_REQUEST['redirect']);
 if($url=='')$url='/';
}

// check that the email address is provided and valid
function login_check_is_email_provided(){
 if(
  !isset($_REQUEST['email']) || $_REQUEST['email']==''
  || !filter_var($_REQUEST['email'], FILTER_VALIDATE_EMAIL)
 ){
  login_redirect($GLOBALS['url'],'noemail');
 }
}

// check that the captcha is provided
function login_check_is_captcha_provided(){
 if(
   !isset($_REQUEST["recaptcha_challenge_field"]) || $_REQUEST["recaptcha_challenge_field"]==''
  || !isset($_REQUEST["recaptcha_response_field"]) || $_REQUEST["recaptcha_response_field"]==''
 ){
  login_redirect($GLOBALS['url'],'nocaptcha');
 }
}

// check that the captcha is valid
function login_check_is_captcha_valid(){
 require 'recaptcha.php';
 $resp=recaptcha_check_answer(
  RECAPTCHA_PRIVATE,
  $_SERVER["REMOTE_ADDR"],
  $_REQUEST["recaptcha_challenge_field"],
  $_REQUEST["recaptcha_response_field"]
 );
 if(!$resp->is_valid){
  login_redirect($GLOBALS['url'],'invalidcaptcha');
 }
}

basics.php是，

session_start();
function __autoload($name) {
 require $name . '.php';
}
function dbInit(){
 if(isset($GLOBALS['db']))return $GLOBALS['db'];
 global $DBVARS;
 $db=new PDO('mysql:host='.$DBVARS['hostname'].';dbname='.$DBVARS['db_name'],$DBVARS['username'],$DBVARS['password']);
 $db->query('SET NAMES utf8');
 $db->num_queries=0;
 $GLOBALS['db']=$db;
 return $db;
}
function dbQuery($query){
 $db=dbInit();
 $q=$db->query($query);
 $db->num_queries++;
 return $q;
}
function dbRow($query) {
 $q = dbQuery($query);
 return $q->fetch(PDO::FETCH_ASSOC);
}
define('SCRIPTBASE', $_SERVER['DOCUMENT_ROOT'] . '/');
require SCRIPTBASE . '.private/config.php';
if(!defined('CONFIG_FILE'))define('CONFIG_FILE',SCRIPTBASE.'.private/config.php');
set_include_path(SCRIPTBASE.'ww.php_classes'.PATH_SEPARATOR.get_include_path());

我不确定如何解决问题。

我的数据库：

CREATE TABLE IF NOT EXISTS `user_accounts` (
  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
  `email` text,
  `password` char(32) DEFAULT NULL,
  `active` tinyint(4) DEFAULT '0',
  `groups` text,
  `activation_key` varchar(32) DEFAULT NULL,
  `extras` text,
  PRIMARY KEY (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=utf8 AUTO_INCREMENT=10 ;

INSERT INTO `user_accounts` (`id`, `email`, `password`, `active`, `groups`, `activation_key`, `extras`) VALUES
(2, 'bla@blabla.com', '6d24dde9d56b9eab99a303a713df2891', 1, '["_superadministrators"]', '5d50e39420127d0bab44a56612f2d89b', NULL),
(3, 'user@blabla.com', 'e83052ab33df32b94da18f6ff2353e94', 1, '[]', NULL, NULL),
(9, 'myemail@gmail.com', '9ca3eee3c43384a575eb746eeae0f279', 1, '["_superadministrators"]', '974bf747124c69f12ae3b36afcaccc68', NULL);

Answer 1

我相信答案是：

表user_accounts：

    `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
    `email` text,
    `password` char(32) DEFAULT NULL,
    `active` tinyint(4) DEFAULT '0',
    `groups` text,
    `activation_key` varchar(32) DEFAULT NULL,
    `extras` text,
    PRIMARY KEY (`id`)

和

'forgotten-password-verification.php'：

    // check that the email/verification code combination matches a row in the user table
    // $password=md5($_REQUEST['email'].'|'.$_REQUEST['password']);
    $r=dbRow('select * from user_accounts where
    email="'.addslashes($_REQUEST['email']).'" and
    verification_code="'.$_REQUEST['verification_code'].'" and active'
    );

其中verification_code不是user_accounts的有效部分。改变它，它应该工作;）

Answer 2

basics.php的第23行可能是：

return $q->fetch(PDO::FETCH_ASSOC);

这意味着$q不是您期望的对象（看起来像PDOStatement）。显然，它是从dbQuery函数返回的，它返回PDO::query的结果。 PDO::query将在成功时返回PDOStatement，或在错误时返回FALSE。

这意味着您的查询是错误的。最有可能是这个：

$r=dbRow('select * from user_accounts where
 email="'.addslashes($_REQUEST['email']).'" and
 verification_code="'.$_REQUEST['verification_code'].'" and active'
);

问题可能是查询结束，看起来不像有效的SQL：

and active

此外，由于您使用的是PDO，因此您应该利用预准备语句，因为您的代码实际上是对SQL注入开放的。 addslashes不是用于转义数据库参数的正确机制，除非您知道自己在做什么，否则不应使用$_REQUEST。您应该直接使用$_GET，$_POST或$_COOKIE。

为确保您的查询安全，请使用预准备语句，并检查返回值：

function dbQuery($query, array $params = array()){
 $db=dbInit();
 $q=$db->prepare($query); // use prepare() instead of query()
 $q->execute($params);    // automatically bind the parameters with execute()
 $db->num_queries++;
 return $q;
}
function dbRow($query, array $params = array()) {
 $q = dbQuery($query, $params);
 if (!$q) {
    // check for errors
    throw new Exception('A database error has occured!');
 }
 return $q->fetch(PDO::FETCH_ASSOC);
}

然后就这样做：

$r=dbRow('select * from user_accounts where email=? and verification_code=?',
   array($_GET['email'], $_GET['verification_code'])
);

Answer 3

password_reminder.php中存在问题。

而不是verificatio_code，它正在使用activation_code。

函数fetch（）在PHP中的非对象上

3 个答案: