准备好的陈述 + PDO
Prepared Statements + PDO
首先,请注意我不是将其用作真实世界的登录,它纯粹是为了练习。我正在使用 PHP/MySQLi 并尝试执行准备好的语句,但我没有正确执行。这是我的工作代码,只有 mysqli_escape_string:
$host="localhost";
$username="login";
$password="password";
$db_name="database";
$link=mysqli_connect("$host", "$username", "$password", "$db_name")or die("cannot connect to server");
$tbl_name=temp_members;
// Random confirmation code to be sent in email
$confirm_code=md5(uniqid(rand()));
//from signup.php
$name=$_POST['name'];
$email=$_POST['email'];
$pwd=$_POST['password'];
$name = mysqli_real_escape_string($link, $name);
$email = mysqli_real_escape_string($link, $email);
$pwd = mysqli_real_escape_string($link, $pwd);
$pwd = password_hash($pwd, PASSWORD_DEFAULT);
// Insert data into temp_members
$sql="INSERT INTO $tbl_name(confirm_code, name, email, password)VALUES('$confirm_code', '$name', '$email', '$pwd')";
$result=mysqli_query($link, $sql);
if($result){
//email
$to=$email;
$subject="(no reply)";
$header="from: Ben Pappas <mrbenpappas@gmail.com>";
// message
$message="Hello ".$name.", Thanks for signing up! \r\n";
$message.="Click on this link to activate your account: \r\n";
$message.="http://www.monger.us/verify/confirmation.php? passkey=$confirm_code";
// send email
$sentmail = mail($to,$subject,$message,$header);
}
这是我对 PDO/准备好的语句的(糟糕的)尝试:
$host="localhost";
$username="login";
$password="password";
$db_name="database";
$link = new PDO("mysql:host=$host;dbname=$db_name",$username,$password) or die("cannot connect to server");
$tbl_name=temp_members;
// Random confirmation code to be sent in email
$confirm_code=md5(uniqid(rand()));
//from signup.php
$name=$_POST['name'];
$email=$_POST['email'];
$pwd=$_POST['password'];
$name = mysqli_real_escape_string($link, $name);
$email = mysqli_real_escape_string($link, $email);
$pwd = mysqli_real_escape_string($link, $pwd);
$pwd = password_hash($pwd, PASSWORD_DEFAULT);
// Insert data into temp_members
$statement = $link->prepare("INSERT INTO $tbl_name(confirm_code, name, email, password)VALUES('$confirm_code', '$name', '$email', '$pwd')";
$statement->execute(array(
$confirm_code => 'confirm_code',
$email => 'email',
$name => 'name'
));
$result = ($link, $statement);
if($result){
//email
$to=$email;
$subject="(no reply)";
$header="from: Ben Pappas <mrbenpappas@gmail.com>";
// message
$message="Hello ".$name.", Thanks for signing up! \r\n";
$message.="Click on this link to activate your account: \r\n";
$message.="http://www.monger.us/verify/confirmation.php? passkey=$confirm_code";
// send email
$sentmail = mail($to,$subject,$message,$header);
}
我在正在调用语句变量的行上收到一条错误消息,消息说意外的“;”
请原谅任何明显的错误我是学徒
$value = $_POST['value'];
$stmt = $mysqli->prepare("INSERT INTO XYZ (field) VALUES (?)");
$stmt->bind_param('s', $value);
$stmt->execute();
语句应如下所示。
"s" 代表字符串,"i" 代表 int
您是 missing
$语句行上的 close
方括号:
try this
$statement = $link->prepare("INSERT INTO $tbl_name(confirm_code, name, email, password)VALUES(:confirm_code, :name, :email, :pwd)");
$statement->execute(array(
':confirm_code' => $confirm_code,
':email' => $email,
':name' => $name,
':pwd' => $pwd
));
$statement = $link->prepare("INSERT INTO $tbl_name(confirm_code, name,
email, password)VALUES('$confirm_code', '$name', '$email', '$pwd')";
应改为:
$statement = $link->prepare("INSERT INTO $tbl_name(confirm_code, name,
email, password)VALUES(:confirm_code, :name, :email, :pwd)");
$statement->execute(array(
':confirm_code' => $confirm_code,
':email' => $email,
':name' => $name,
':pwd' => $pwd
));
也不需要 mysqli_real_escape_string
代码:绑定负责为您转义数据。
首先,请注意我不是将其用作真实世界的登录,它纯粹是为了练习。我正在使用 PHP/MySQLi 并尝试执行准备好的语句,但我没有正确执行。这是我的工作代码,只有 mysqli_escape_string:
$host="localhost";
$username="login";
$password="password";
$db_name="database";
$link=mysqli_connect("$host", "$username", "$password", "$db_name")or die("cannot connect to server");
$tbl_name=temp_members;
// Random confirmation code to be sent in email
$confirm_code=md5(uniqid(rand()));
//from signup.php
$name=$_POST['name'];
$email=$_POST['email'];
$pwd=$_POST['password'];
$name = mysqli_real_escape_string($link, $name);
$email = mysqli_real_escape_string($link, $email);
$pwd = mysqli_real_escape_string($link, $pwd);
$pwd = password_hash($pwd, PASSWORD_DEFAULT);
// Insert data into temp_members
$sql="INSERT INTO $tbl_name(confirm_code, name, email, password)VALUES('$confirm_code', '$name', '$email', '$pwd')";
$result=mysqli_query($link, $sql);
if($result){
//email
$to=$email;
$subject="(no reply)";
$header="from: Ben Pappas <mrbenpappas@gmail.com>";
// message
$message="Hello ".$name.", Thanks for signing up! \r\n";
$message.="Click on this link to activate your account: \r\n";
$message.="http://www.monger.us/verify/confirmation.php? passkey=$confirm_code";
// send email
$sentmail = mail($to,$subject,$message,$header);
}
这是我对 PDO/准备好的语句的(糟糕的)尝试:
$host="localhost";
$username="login";
$password="password";
$db_name="database";
$link = new PDO("mysql:host=$host;dbname=$db_name",$username,$password) or die("cannot connect to server");
$tbl_name=temp_members;
// Random confirmation code to be sent in email
$confirm_code=md5(uniqid(rand()));
//from signup.php
$name=$_POST['name'];
$email=$_POST['email'];
$pwd=$_POST['password'];
$name = mysqli_real_escape_string($link, $name);
$email = mysqli_real_escape_string($link, $email);
$pwd = mysqli_real_escape_string($link, $pwd);
$pwd = password_hash($pwd, PASSWORD_DEFAULT);
// Insert data into temp_members
$statement = $link->prepare("INSERT INTO $tbl_name(confirm_code, name, email, password)VALUES('$confirm_code', '$name', '$email', '$pwd')";
$statement->execute(array(
$confirm_code => 'confirm_code',
$email => 'email',
$name => 'name'
));
$result = ($link, $statement);
if($result){
//email
$to=$email;
$subject="(no reply)";
$header="from: Ben Pappas <mrbenpappas@gmail.com>";
// message
$message="Hello ".$name.", Thanks for signing up! \r\n";
$message.="Click on this link to activate your account: \r\n";
$message.="http://www.monger.us/verify/confirmation.php? passkey=$confirm_code";
// send email
$sentmail = mail($to,$subject,$message,$header);
}
我在正在调用语句变量的行上收到一条错误消息,消息说意外的“;”
请原谅任何明显的错误我是学徒
$value = $_POST['value'];
$stmt = $mysqli->prepare("INSERT INTO XYZ (field) VALUES (?)");
$stmt->bind_param('s', $value);
$stmt->execute();
语句应如下所示。
"s" 代表字符串,"i" 代表 int
您是 missing
$语句行上的 close
方括号:
try this
$statement = $link->prepare("INSERT INTO $tbl_name(confirm_code, name, email, password)VALUES(:confirm_code, :name, :email, :pwd)");
$statement->execute(array(
':confirm_code' => $confirm_code,
':email' => $email,
':name' => $name,
':pwd' => $pwd
));
$statement = $link->prepare("INSERT INTO $tbl_name(confirm_code, name,
email, password)VALUES('$confirm_code', '$name', '$email', '$pwd')";
应改为:
$statement = $link->prepare("INSERT INTO $tbl_name(confirm_code, name,
email, password)VALUES(:confirm_code, :name, :email, :pwd)");
$statement->execute(array(
':confirm_code' => $confirm_code,
':email' => $email,
':name' => $name,
':pwd' => $pwd
));
也不需要 mysqli_real_escape_string
代码:绑定负责为您转义数据。