运行 创建用于登录的 Prepared 语句时出错 PHP
Ran into an error when creating a Prepared statement to login PHP
我将 运行 保留在 PHP 根据我设置的条件之一显示 "We're sorry we can't log you in." 的错误中,即使登录是正确的,因此我的准备系统避免 SQL 注入失败。
所以我的代码是这样的:
global $connected;
$post = filter_var_array($_POST, FILTER_SANITIZE_STRING);
$pwwd = $post['password'];
$usrn = $post['username'];
$usrn = mysqli_real_escape_string($connected, $usrn);
$pwwd = mysqli_real_escape_string($connected, $pwwd);
if (strlen($usrn) != 0 && strlen($pwwd) != 0 && !empty($post)) {
$usrn = stripslashes($usrn);
$pwwd = stripslashes($pwwd);
$hashFormat = 'ysomenumber$';
$salt = 'somehashobviously';
$hashF_and_salt = $hashFormat.$salt;
$pwwd = crypt($pwwd, $hashF_and_salt);
if (!mysqli_connect_errno()) {
mysqli_select_db($connected, 'someDbname') or die('Database select error');
} else {
die('Failed to connect to PHPMyAdmin').mysqli_connect_error();
}
$query = "SELECT Username, Password FROM users WHERE Username=? AND Password=?";
$stmt = mysqli_stmt_init($connected);
if (mysqli_stmt_prepare($stmt, $query)) {
//Some error in here somewhere
mysqli_stmt_bind_param($stmt, "ss", $usrn, $pwwd);
mysqli_stmt_execute($stmt);
mysqli_stmt_fetch($stmt);
mysqli_stmt_bind_result($stmt, $check_usrn, $check_pwd);
if (strcasecmp($usrn, $check_usrn) == 0) {
if ($pwwd == $check_pwd) {
echo '<h1 class="text-center">Matches</h1>';
print_r($row);
}
} else {
echo "<h1 class=text-center>We're sorry we can't log you in.</h1>";
}
}
} else { //This is for strlen boolean cond
echo "<h1 class='text-center'>Both fields must not be empty. </h1>";
}
我曾经使用没有准备好的语句的登录页面,但我意识到我需要这样做以获得更好的安全性。我的数据库工作正常,所以问题出在我添加评论“//这里某处有错误”的地方。
我是一个相对较新的 PHP 程序员,还是一年级的学生,在假期尝试大胆的新事物!将光明正大的看完所有的帮助我得到,谢谢!
首先我没有看到你连接数据库的连接代码是这样的。
$connected = msqli_connect(host,user,password,db_name) ;
而不是您不需要调用 mysqli_select_db()
函数。
其次,您正在检查来自 mysqli_connect_errno()
函数的连接,如果最后一个 mysqli_connect()
函数没有错误代码值,则 return 0 作为整数(不是布尔值)。
三是不需要Initializes prepare statement。
第四个是mysqli_stmt_bind_reslut()
在mysqli_stmt_fetch()
之前。请参阅 manual
中的注释点
使用hash_equals()
函数来匹配密码而不是===
。请参阅 crypt
中的警告部分
$connected = msqli_connect(host,user,password,db_name) ;
if(!$connected)
{
die('Connect Error (' . mysqli_connect_errno() . ') '. mysqli_connect_error());
}
echo "Your connection is successful . "
if($stmt = mysqli_prepare($connected,$query))
{
mysqli_stmt_bind_param($stmt, "ss", $usrn, $pwwd);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt, $check_usrn, $check_pwd);
mysqli_stmt_fetch($stmt);
/* Now do Your Work */
} else
{
/* still prepare statement doesn't work */
} `
我将 运行 保留在 PHP 根据我设置的条件之一显示 "We're sorry we can't log you in." 的错误中,即使登录是正确的,因此我的准备系统避免 SQL 注入失败。
所以我的代码是这样的:
global $connected;
$post = filter_var_array($_POST, FILTER_SANITIZE_STRING);
$pwwd = $post['password'];
$usrn = $post['username'];
$usrn = mysqli_real_escape_string($connected, $usrn);
$pwwd = mysqli_real_escape_string($connected, $pwwd);
if (strlen($usrn) != 0 && strlen($pwwd) != 0 && !empty($post)) {
$usrn = stripslashes($usrn);
$pwwd = stripslashes($pwwd);
$hashFormat = 'ysomenumber$';
$salt = 'somehashobviously';
$hashF_and_salt = $hashFormat.$salt;
$pwwd = crypt($pwwd, $hashF_and_salt);
if (!mysqli_connect_errno()) {
mysqli_select_db($connected, 'someDbname') or die('Database select error');
} else {
die('Failed to connect to PHPMyAdmin').mysqli_connect_error();
}
$query = "SELECT Username, Password FROM users WHERE Username=? AND Password=?";
$stmt = mysqli_stmt_init($connected);
if (mysqli_stmt_prepare($stmt, $query)) {
//Some error in here somewhere
mysqli_stmt_bind_param($stmt, "ss", $usrn, $pwwd);
mysqli_stmt_execute($stmt);
mysqli_stmt_fetch($stmt);
mysqli_stmt_bind_result($stmt, $check_usrn, $check_pwd);
if (strcasecmp($usrn, $check_usrn) == 0) {
if ($pwwd == $check_pwd) {
echo '<h1 class="text-center">Matches</h1>';
print_r($row);
}
} else {
echo "<h1 class=text-center>We're sorry we can't log you in.</h1>";
}
}
} else { //This is for strlen boolean cond
echo "<h1 class='text-center'>Both fields must not be empty. </h1>";
}
我曾经使用没有准备好的语句的登录页面,但我意识到我需要这样做以获得更好的安全性。我的数据库工作正常,所以问题出在我添加评论“//这里某处有错误”的地方。
我是一个相对较新的 PHP 程序员,还是一年级的学生,在假期尝试大胆的新事物!将光明正大的看完所有的帮助我得到,谢谢!
首先我没有看到你连接数据库的连接代码是这样的。
$connected = msqli_connect(host,user,password,db_name) ;
而不是您不需要调用 mysqli_select_db()
函数。
其次,您正在检查来自 mysqli_connect_errno()
函数的连接,如果最后一个 mysqli_connect()
函数没有错误代码值,则 return 0 作为整数(不是布尔值)。
三是不需要Initializes prepare statement。
第四个是mysqli_stmt_bind_reslut()
在mysqli_stmt_fetch()
之前。请参阅 manual
使用hash_equals()
函数来匹配密码而不是===
。请参阅 crypt
$connected = msqli_connect(host,user,password,db_name) ;
if(!$connected)
{
die('Connect Error (' . mysqli_connect_errno() . ') '. mysqli_connect_error());
}
echo "Your connection is successful . "
if($stmt = mysqli_prepare($connected,$query))
{
mysqli_stmt_bind_param($stmt, "ss", $usrn, $pwwd);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt, $check_usrn, $check_pwd);
mysqli_stmt_fetch($stmt);
/* Now do Your Work */
} else
{
/* still prepare statement doesn't work */
} `