使用PDO更新msql方法

时间:2018-03-03 11:19:14

标签: php mysql

几年前我曾经使用PHP很多,并且最近决定更新我的技能,我正在尝试建立一个论坛网站,我特别遇到使用新的PDO方法插入用户收集数据的问题回到桌子上。我使用旧的mysql方法的代码(我理解的是从PHP 5.5版本开始被删除)是

$sql = "INSERT INTO
                    users(user_name, user_pass, user_email ,user_date, user_level)
                VALUES('" . mysql_real_escape_string($_POST['user_name']) . "',
                       '" . sha1($_POST['user_pass']) . "',
                       '" . mysql_real_escape_string($_POST['user_email']) . "',
                        NOW(),
                        0)";

        $result = mysql_query($sql);
        if(!$result)
        {
            //something went wrong, display the error
            echo 'Something went wrong while registering. Please try again later.';
            //echo mysql_error(); //debugging purposes, uncomment when needed
        }
        else
        {
            echo 'Successfully registered. You can now <a href="signin.php">sign in</a> and start posting! :-)';
        }
    }
}

查找等效的PDO方法,我得到了这段代码

<?php
    $stmt = $db->prepare("INSERT INTO table(field1,field2,field3,field4,field5) VALUES(:field1,:field2,:field3,:field4,:field5)");
    $stmt->execute(array(':field1' => $field1, ':field2' => $field2, ':field3' => $field3, ':field4' => $field4, ':field5' => $field5));
    $affected_rows = $stmt->rowCount();

所以把两者放在一起我得到了这个(或者至少我认为我这样做)

$stmt = $db - > prepare("INSERT INTO users(user_name, user_pass, user_email, user_date, user_level) 
                VALUES('" . ($_POST['user_name ']) . "','" . sha1($_POST['user_pass ']) . "','" . ($_POST['user_email ']) . "',NOW(),0)");
$stmt - > execute(array(':user_name' => $user_name, ':user_pass' => $user_pass, ':user_email' => $user_email, ':user_date' => $user_date, ':user_level' => $user_level));
//$affected_rows = $stmt->rowCount();
if (!$result) {
    //something went wrong, display the error
    echo 'Something went wrong while registering. Please try again later.';
    //echo mysql_error(); //debugging purposes, uncomment when needed
} else {
    echo 'Successfully registered. You can now <a href="signin.php">sign in</a> and start posting! :-)';
}

然而,当我运行它时,我尝试更新的每个字段都会出现一系列“未定义变量”错误

我的托管服务提供商确实允许我使用现在不支持的PHP版本运行旧代码,但我认为这是不安全的并且容易受到SQL注入的影响,因此作为(重新)学习体验的一部分,我认为我会尝试和计算摆脱新的做事方式。

非常感谢任何帮助。

1 个答案:

答案 0 :(得分:2)

您正在尝试应用准备好的陈述,但这样做是错误的,这是您需要的:

$user_name = $_POST['user_name'];
$user_pass = password_hash($_POST['user_pass'], PASSWORD_BCRYPT);
$user_email = $_POST['user_email'];
$user_date = time();
$user_level = 0;
$stmt = $db->prepare("INSERT INTO
                    users(user_name, user_pass, user_email ,user_date, user_level)
               VALUES(:user_name, :user_pass, :user_email, :user_date, :user_level)");
        $stmt->execute(array(':user_name' => $user_name, ':user_pass' => $user_pass, ':user_email' => $user_email, ':user_date' => $user_date, ':user_level' => $user_level));
        //$affected_rows = $stmt->rowCount();
        if(!$result)
        {
            //something went wrong, display the error
            echo 'Something went wrong while registering. Please try again later.';
            //echo mysql_error(); //debugging purposes, uncomment when needed
        }
        else
        {
            echo 'Successfully registered. You can now <a href="signin.php">sign in</a> and start posting! :-)';
        }

execute语句使用查询中相应的占位符绑定数组中的每个键。您可能还想对密码哈希函数进行一些研究

相关问题
最新问题