在 sql 查询中使用 SESSION 变量时尝试获取非对象的 属性
Trying to get property of non-object when using a SESSION variable in sql query
所以我目前正在编写一个系统,当他们登录时,他们会得到一个专门的排名面板。
默认情况下,他们称为用户,而管理员则称为管理员。
当我尝试验证他们是管理员时。
error_reporting(E_ALL); // i've been trying to find the bugs with this
require_once('db.php'); //using the good ol $conn = new mysqli
session_start();
if(!isset($_SESSION['username']) || empty($_SESSION['username'])){
header("location: login.php");
exit;
//to detect if they are logged in or not
}
//here is a failed attempt where I tried to "escape" the $_SESSION variable
// which still doesn't work
$username = $conn->real_escape_string($_SESSION['username']);
// I've tried this query with the $_SESSION variable escaped, with it's alias
// etc.
$query1 = "SELECT * FROM `users` WHERE `rank` = Admin AND
`username`='".$username."'";
// preparing to execute
$result = $conn->query($query1);
// this is where I detect if there is a row, set it to use Admin things
// which I will code later, for now just var holders.
if ($result->num_rows > 0) {
$rank = 'Admin';
} else {
$rank = 'User';
}
我到处都看过 属性 的非对象,但我只找到了 2008 年的旧帖子,我曾尝试实现这些帖子,但最终无法正常工作。
使用 XAMPP (apache) 与 PHP 7
您需要更正您的SQL
"SELECT * FROM `users` WHERE `rank` = Admin AND `username`='".$username."'"
到
"SELECT * FROM `users` WHERE `rank` = 'Admin' AND `username`='".$username."'"
注意: Admin
之间的单引号
我建议,使用下面的 SQL 代替,并将排名值直接存储到 SESSION。
"SELECT rank FROM `users` WHERE `username`='".$username."'"
由于您正在使用 mysqli,请考虑使用 准备好的语句。通过将变量值连接到查询字符串中,您很容易 SQL 注入!.
更多关于预处理语句的信息:php.net/prepared-statements.
您在查询中还遗漏了一些 ' ',虽然在使用准备好的语句时您不需要在输入变量上添加任何撇号,但必须包括常量字符串周围的撇号(它们丢失了在你的例子中 rank='Admin').
这是更正后的代码:
注意: 我将 session_start() 移到了文档的顶部以确保其正常工作,因为如果在调用该函数之前发生任何输出,它将无法工作.
session_start();
error_reporting(E_ALL);
require_once('db.php'); //using the good ol $conn = new mysqli
if(empty($_SESSION['username']))
{
header("location: login.php");
exit();
}
$query1 = $conn->prepare("SELECT * FROM users WHERE rank='Admin' AND username=?");
$query1->bind_param("s", $_SESSION['username']);
$query1->execute();
$query1->store_result();
$result = $query1->num_rows;
if ($result > 0)
{
$rank = 'Admin';
}
else
{
$rank = 'User';
}
所以我目前正在编写一个系统,当他们登录时,他们会得到一个专门的排名面板。
默认情况下,他们称为用户,而管理员则称为管理员。
当我尝试验证他们是管理员时。
error_reporting(E_ALL); // i've been trying to find the bugs with this
require_once('db.php'); //using the good ol $conn = new mysqli
session_start();
if(!isset($_SESSION['username']) || empty($_SESSION['username'])){
header("location: login.php");
exit;
//to detect if they are logged in or not
}
//here is a failed attempt where I tried to "escape" the $_SESSION variable
// which still doesn't work
$username = $conn->real_escape_string($_SESSION['username']);
// I've tried this query with the $_SESSION variable escaped, with it's alias
// etc.
$query1 = "SELECT * FROM `users` WHERE `rank` = Admin AND
`username`='".$username."'";
// preparing to execute
$result = $conn->query($query1);
// this is where I detect if there is a row, set it to use Admin things
// which I will code later, for now just var holders.
if ($result->num_rows > 0) {
$rank = 'Admin';
} else {
$rank = 'User';
}
我到处都看过 属性 的非对象,但我只找到了 2008 年的旧帖子,我曾尝试实现这些帖子,但最终无法正常工作。
使用 XAMPP (apache) 与 PHP 7
您需要更正您的SQL
"SELECT * FROM `users` WHERE `rank` = Admin AND `username`='".$username."'"
到
"SELECT * FROM `users` WHERE `rank` = 'Admin' AND `username`='".$username."'"
注意: Admin
我建议,使用下面的 SQL 代替,并将排名值直接存储到 SESSION。
"SELECT rank FROM `users` WHERE `username`='".$username."'"
由于您正在使用 mysqli,请考虑使用 准备好的语句。通过将变量值连接到查询字符串中,您很容易 SQL 注入!.
更多关于预处理语句的信息:php.net/prepared-statements.
您在查询中还遗漏了一些 ' ',虽然在使用准备好的语句时您不需要在输入变量上添加任何撇号,但必须包括常量字符串周围的撇号(它们丢失了在你的例子中 rank='Admin').
这是更正后的代码:
注意: 我将 session_start() 移到了文档的顶部以确保其正常工作,因为如果在调用该函数之前发生任何输出,它将无法工作.
session_start();
error_reporting(E_ALL);
require_once('db.php'); //using the good ol $conn = new mysqli
if(empty($_SESSION['username']))
{
header("location: login.php");
exit();
}
$query1 = $conn->prepare("SELECT * FROM users WHERE rank='Admin' AND username=?");
$query1->bind_param("s", $_SESSION['username']);
$query1->execute();
$query1->store_result();
$result = $query1->num_rows;
if ($result > 0)
{
$rank = 'Admin';
}
else
{
$rank = 'User';
}