0

它有点难以解释。我已经构建了运行良好的 mysql 函数,并且随着 mysql 的贬值,我需要更改此函数以使用 mysqli 而不是 mysql 方法。我目前有:

$con = mysql_connect("host", "username", "pass");
mysql_select_db("db", $con);
$Username = mysql_real_escape_string($_POST['user']);
$Password = hash_hmac('sha512', $_POST['pass'], '&R4nD0m^');
$Query = mysql_query("SELECT COUNT(*) FROM users WHERE username = '{$Username}' AND password = '{$Password}'") or die(mysql_error());
    $Query_Res = mysql_fetch_array($Query, MYSQL_NUM);
    if($Query_Res[0] === '1')
    {
        //add session
        header('Location: newpage.php');
    }
            else {
                echo 'failed login';
            }

现在我已经将 mysqli 应用于此,它没有返回任何数据或错误,但该函数仍然符合要求。

$log = new mysqli("host", "user", "pass");
$log->select_db("db");
$Username = $log->real_escape_string($_POST['user']);
$Password = hash_hmac('sha512', $_POST['pass'], '&R4nD0m^');
$qu = $log->query("SELECT COUNT(*) FROM users WHERE username = '{$Username}' AND password = '{$Password}'");
    $res = $qu->fetch_array();
    if($res[0] === '1'){
        //add session
        header('Location: newpage.php');
    }
    else {
        $Error = 'Failed login';
        sleep(0.5);
    }
    echo $res['username'].'              hello';
}

但我不确定为什么这是错误的。我知道这可能是一个简单的答案

4

2 回答 2

2

只是将其作为答案:

http://php.net/manual/en/pdo.prepared-statements.php http://php.net/manual/en/pdo.prepare.php

例如

$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':value', $value);
于 2012-11-24T19:50:32.040 回答
0

您可以在使用前检查连接是否正在建立real_escape_string()

if ($log->connect_errno) {
echo "Failed to connect to MySQL: (".$log->connect_errno.")".$log->connect_error;
}

afaik,没有问题$log->real_escape_string($_POST['user']);

于 2012-11-24T19:31:03.860 回答