-2

我正在从 MySQL 切换到 PDO,我不确定这个查询是否正确.. 我仍然需要编写 if 命令。

public function User_Login($_iUsername,$_iPassword) {
    $username=mysql_real_escape_string($_iUsername);
    $password=mysql_real_escape_string($password);
    $md5_password=md5($_iPassword);
    $query=mysql_query("SELECT _iD FROM users WHERE _iUsername='$_iUsername' and _iPassword='$md5_password' AND _iStatus='1'");
    if( mysql_num_rows( $query ) == 1 ) {
        $row = mysql_fetch_array( $query );
        return $row['_iD'];
    } else {
        return false;
    }
}


public function User_Login($_iUsername,$_iPassword) {
    $md5_password = md5($_iPassword);
    $sth = $db->prepare("SELECT _iD FROM users WHERE _iUsername='$_iUsername' and _iPassword='$md5_password' AND _iStatus='1'");
    $sth->execute();

    $result = $sth->fetchAll();
}
4

1 回答 1

3

首先,您没有正确参数化查询。使用 PDO 很棒,但更改的主要目的之一是能够参数化查询。其次,md5是一个非常弱的哈希。我建议改用 bcrypt。最后,PDOStatement::rowCount是您正在寻找的方法。

$sth = $db->prepare("SELECT _ID FROM users WHERE _iUsername = ?
    AND _iPassword = ? AND _iStatus = 1");
$sth->execute(array($_iUsername, $md5_password));
if ($sth->rowCount() == 1) {
    $row = $sth->fetch(PDO::FETCH_ASSOC);
    return $row['_iD'];
}
else {
    return false;
}
于 2013-05-22T18:54:17.503 回答