通过参数化查询登录无效

时间:2018-06-07 07:18:07

标签: php mysqli

我正在尝试通过参数化查询实现mysql登录,但下面不能正常工作的代码片段。

<?php
echo "hello";
$email=$_POST["username"];
$pass=$_POST["password"];
$servername = "127.0.0.1";
$username = "root";
$password = "toor";
$db="SQLINJECTION";
$conn = mysqli_connect($servername, $username, $password, $db);

if (!$conn){
    die("connection failure".mysqli_connect_error());
}
echo "success";

$stmt = mysqli_prepare($conn,"SELECT * FROM users WHERE username = ? AND password = ?");
mysqli_stmt_bind_param($stmt, "s", $email);
mysqli_stmt_bind_param($stmt, "s", $pass);
mysqli_stmt_execute($stmt);
$row=mysqli_stmt_fetch($stmt);
if($row){
    echo "found";
}
else{
echo "not found";
}
mysqli_close($conn);

?>

2 个答案:

答案 0 :(得分:-1)

您应该只有1个绑定语句,它将所有要绑定的值组合在一起...... 

mysqli_stmt_bind_param($stmt, "s", $email);
mysqli_stmt_bind_param($stmt, "s", $pass);

应该是

mysqli_stmt_bind_param($stmt, "ss", $email, $pass);

答案 1 :(得分:-1)

试试这个

$stmt = mysqli_prepare($conn,"SELECT * FROM users WHERE username = ? AND password = ?");
mysqli_stmt_bind_param($stmt, "ss", $email,$pass);
mysqli_stmt_execute($stmt);
$row=mysqli_stmt_fetch($stmt);
相关问题
最新问题