-2

我是 MySQL 和 PHP 的新手。我一直在做一个类似于某种博客的项目。但我听说旧的 MySQL 容易受到攻击或容易被黑客入侵。所以有人建议我使用 PDO。但我很困惑如何将此代码转换为 PDO。请帮我。

<?php

//Start session
session_start();

//Include database connection details
require_once('scripts/dblog.php');

//Array to store validation errors
$errmsg_arr = array();

//Validation error flag
$errflag = false;

//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
   $str = @trim($str);
   if(get_magic_quotes_gpc()) {
      $str = stripslashes($str);
   }
   return mysql_real_escape_string($str);
}

//Sanitize the POST values
$username = clean($_POST['username']);
$password = clean($_POST['password']);

//Input Validations
if($username == '') {
   $errmsg_arr[] = 'Username missing';
   $errflag = true;
}

if($password == '') {
   $errmsg_arr[] = 'Password missing';
   $errflag = true;
}

//If there are input validations, redirect back to the login form
if($errflag) {
   $_SESSION['ERRMSG_ARR'] = $errmsg_arr;
   session_write_close();
   header("location: login.php");
   exit();
}

//Create query
$qry="SELECT * FROM member WHERE BINARY username='$username' AND BINARY password='$password'";
$result=mysql_query($qry);

//Check whether the query was successful or not
if($result) {
   if(mysql_num_rows($result) > 0) {
      //Login Successful
      session_regenerate_id();
      $member = mysql_fetch_assoc($result);
      $_SESSION['SESS_MEMBER_ID'] = $member['mem_id'];
      $_SESSION['SESS_FIRST_NAME'] = $member['username'];
      $_SESSION['SESS_LAST_NAME'] = $member['password'];

      session_write_close();
      header("location: post.php");
      exit();
   } else {
      //Login failed
      $errmsg_arr[] = '<div class="alert alert-error">user name and password not found</div>';
      $errflag = true;
      if($errflag) {
         $_SESSION['ERRMSG_ARR'] = $errmsg_arr;
         session_write_close();
         header("location: login.php");
         exit();
      }
   }
} else {
   die("Query failed");
}
?>
4

4 回答 4

1

没有人可能会简单地为您编写所有代码,但是我会给您一个非常好的工具来帮助您自己完成:http ://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers ,这样您甚至可以学习PDO背后的理论和准备好的陈述:)

于 2013-04-30T14:09:07.387 回答
1

虽然这个问题过于本地化并且已经被问过很多次- 只是为了向您展示更好的实践

所以,给你

session_start();
require_once('scripts/dblog.php');

$sql = "SELECT * FROM member WHERE username=? AND password=?";
$stm = $pdo->prepare($sql);
$stm->execute($_POST);
$row = $stm->fetch();

if($row) {
    session_regenerate_id();
    $_SESSION['user'] = $row;
    $loc ='post.php';
} else {
    $_SESSION['ERRMSG_ARR'] = 'user name and password not found';
    $loc ='login.php';
}
session_write_close();
header("location: $loc");
于 2013-04-30T14:27:05.757 回答
0

希望对你有帮助

<?php
try {
    $dbh=new PDO('mysql:host=localhost;dbname=mysql','user','pass');

    $qry="SELECT * FROM member WHERE BINARY username='$username' AND BINARY password='$password'";
    //$result=mysql_query($qry);
    $result=$dbh->query($qry);
}catch (PDOException $e){
    print "PDO ERROR :".$e->getMessage()."<br/>";
    die();
}






//Check whether the query was successful or not
if($result) {
    if($result->rowCount() > 0) {
        //Login Successful
        session_regenerate_id();
        $member = $result->fetchAll(PDO::FETCH_ASSOC);
        $_SESSION['SESS_MEMBER_ID'] = $member['mem_id'];
        $_SESSION['SESS_FIRST_NAME'] = $member['username'];
        $_SESSION['SESS_LAST_NAME'] = $member['password'];
        session_write_close();
        header("location: post.php");
        exit();
    }else {
        //Login failed
        $errmsg_arr[] = '<div class="alert alert-error">user name and password not found</div>';
        $errflag = true;
        if($errflag) {
            $_SESSION['ERRMSG_ARR'] = $errmsg_arr;
            session_write_close();
            header("location: login.php");
            exit();
        }
    }
}else {
    die("Query failed");
}
$dbh=null; //close pdo
?>
于 2013-04-30T14:19:30.703 回答
0

您需要创建一个包含数据源名称的 PDO 对象,该名称是这样的字符串:

$dsn = "mysql:dbname=DATABASENAME;host=localhost;";

你像这样创建 PDO 对象,这基本上是 mysql_connect() 的等价物:

$database = new PDO($dsn, "Username", "Password");

要执行查询,请使用:(相当于 mysql_query())

$query = $database->query("SELECT * FROM table where name = ?", ['Test']);

获取结果使用(等效于 mysql_fetch_array())$query->fetchAll(PDO::FETCH_OBJ);

于 2013-04-30T14:14:13.010 回答