1

当我在 phpMyAdmin 中执行此操作时,我有一个结果:

SELECT password, block FROM jml_users WHERE username = "user01"

但是在我的 PHP 代码中,脚本找不到我的用户。我做错了$stmt->bind_param("s", $unsafe_user);什么吗?

我也试过$stmt->bind_param("s", "user01");没有运气。

<?
include("dbinfo.php");
$unsafe_user = "user01";
$mysqli = new mysqli($loginURL, $dbusername, $dbpassword, $database);

LoginCheck();

// Kill connection 
$thread_id = $mysqli->thread_id;    // determine our thread id 
$mysqli->kill($thread_id);
$mysqli->close();

function LoginCheck()
{
    global $mysqli, $unsafe_user;   

    //Perpare Statement.    
    //if($stmt = $mysqli->prepare("SELECT password, block FROM jml_users WHERE (username) VALUES (?)")) // this returns false for some reason
    if($stmt = $mysqli->prepare("SELECT password, block FROM jml_users WHERE username = ?")) //works, still safe form sql injection?
    {
        $stmt->bind_param("s", $unsafe_user);
        $stmt->execute();

        $stmt->bind_result($dbpw, $bdblock);

        if($stmt->num_rows == 0)
        {
            echo "could not find user";
        }
        // Found user
        else
        {
            echo "found user";
        }

        $stmt->close();
    }
    else
    {
        echo "Statement creation did not succeed";
    }
}
?>
4

1 回答 1

1

您注释掉的第一个查询是无效的 MYSQL 语法。这种类型的语法用于插入。

$stmt->store_result();除非您使用after ,否则 num_rows 也不会与准备好的语句一起使用$stmt->execute();

在文档中检查这个答案。

于 2013-11-25T13:32:11.193 回答