我正在尝试通过参数化查询实现mysql登录,但下面不能正常工作的代码片段。
<?php
echo "hello";
$email=$_POST["username"];
$pass=$_POST["password"];
$servername = "127.0.0.1";
$username = "root";
$password = "toor";
$db="SQLINJECTION";
$conn = mysqli_connect($servername, $username, $password, $db);
if (!$conn){
die("connection failure".mysqli_connect_error());
}
echo "success";
$stmt = mysqli_prepare($conn,"SELECT * FROM users WHERE username = ? AND password = ?");
mysqli_stmt_bind_param($stmt, "s", $email);
mysqli_stmt_bind_param($stmt, "s", $pass);
mysqli_stmt_execute($stmt);
$row=mysqli_stmt_fetch($stmt);
if($row){
echo "found";
}
else{
echo "not found";
}
mysqli_close($conn);
?>
答案 0 :(得分:-1)
您应该只有1个绑定语句,它将所有要绑定的值组合在一起......
mysqli_stmt_bind_param($stmt, "s", $email);
mysqli_stmt_bind_param($stmt, "s", $pass);
应该是
mysqli_stmt_bind_param($stmt, "ss", $email, $pass);
答案 1 :(得分:-1)
试试这个
$stmt = mysqli_prepare($conn,"SELECT * FROM users WHERE username = ? AND password = ?");
mysqli_stmt_bind_param($stmt, "ss", $email,$pass);
mysqli_stmt_execute($stmt);
$row=mysqli_stmt_fetch($stmt);