-1

只是从 mysql_ 转换为 PDO。当然会出现一些错误。

<?php
ob_start();
session_start();
include("php/connect.php");

if ($_POST['submit']){

    $username = $db -> prepare($_POST['username']);
    $password = $db -> prepare($_POST['password']);

    if($username){

        if($password){

            $password = md5(md5("KmsdufIFNKSnefndbdo19228330293".$password."JSDSHBFJS8S8ds8sd8s8d"));
            $query = $db -> query("SELECT * FROM user WHERE username='$username'");             
            $num_rows = $db -> rowCount($query);

            if ($num_rows == 1){

                $row = $query -> fetch(PDO::FETCH_ASSOC);
                $db_username = $row['username'];
                $db_password = $row['password'];

                if ($password == $db_password){

                    $_SESSION['username'] = $username;

                }else
                    $div = "<div id='error'>Passwordi eshte gabim</div>";

            }else
                $div = "<div id='error'>Emri nuk u gjend</div>";

        }else
            $div = "<div id='error'>Futeni Passwordin</div>";

    }else
        $div= "<div id='error'>Futeni emrin e llogarise</div>";
}
?>
4

3 回答 3

1

pdo::prepare不能替代mysql_real_escape_string。它解析一个 sql 语句(或让底层数据库系统完成这项工作,请参阅PDO::ATTR_EMULATE_PREPARES),寻找在执行语句时被实际参数替换的占位符。 

$stmt = $db->prepare('SELECT * FROM user WHERE username=?');
// $stmt now "is" the identifier for the previously prepared statement
// it can be executed but needs one parameter to fill out the placeholder
$stmt->execute( array($_POST['username']) );
// it could be executed again with another parameter
// $stmt->execute( array('Foo') );
$row = $stmt->fetch(PDO::FETCH_ASSOC);
if ( !$row ) {
    // no such user
}
else {
    ....

也可以看看:

于 2013-06-21T07:03:55.090 回答
0

您需要用于 PDO 的格式(基于您要执行的操作)是:

$sql = 'SELECT query here .......';
$stmt = $db->prepare($sql);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);

if ($result) {
.
.
.
}
于 2013-06-21T07:03:20.360 回答
0

看看prepare方法(http://de3.php.net/manual/en/pdo.prepare.php)。你错了。您必须在其中插入您的声明。并且:请使用准备好的语句,而不是直接(未经处理的)变量输入。

我认为,PHP 手册是一个很好的起点。

于 2013-06-21T06:54:33.690 回答