0

我有一些 PDO:

if (empty($this->user->username) || empty($this->user->password))
    throw new Exception("Error Processing Request", 1);
include('dbconnect.php');       // Normally I'd store the db connect script outside of webroot
$pdo = new PDO("mysql:host=$db_host;dbname=$db_name;", $db_user, $db_password);
$stmt = $pdo->prepare('SELECT userFName FROM Users WHERE username = ? AND password = ? AND roleID = 1');
$stmt->bindParam(1, $this->user->username);
$stmt->bindParam(2, $this->user->password);
$stmt->bindColumn(1, $userFName, PDO::PARAM_STR);
try {
    $stmt->execute();
}
catch (PDOException $e) {
    echo 'Invalid username or password: ' . $e->getMessage();
}
$stmt->fetch(PDO::FETCH_BOUND);
$this->user->firstName = $userFName;

如果发布的用户名和/或密码错误,仍然会发生登录。我认为 PDO 有问题;尝试根据数据库中的记录检查 $this->user->password 时,我是否遗漏了一些关键信息?

(顺便说一句,我正在使用加密)

4

1 回答 1

1 
$stmt->execute();

如果没有结果,不会抛出异常。您需要检查查询结果是否为用户返回了一行。

编辑:

$stmt->execute();
if ($stmt->rowCount() > 0) {
    //user found
} else {
    //user not found
}
于 2013-04-26T17:40:52.830 回答