如何将这部分代码更改为PHP预处理语句?

问题描述 投票:0回答:2

声明

login_check.php,它工作,但我想将其改为准备好的声明。

的login.php

<body>
      <div class="container">
          <h1>Please Log In to the System</h1>
            <form method="post" action="login_check.php">
                  <input type="text" name="username" placeholder="Username" required>
                  <input type="password" name="password" placeholder="Password" autocomplete="off" required> 
                  <button type="submit" name="login" value="Log In">Log In</button>
            </form>
    </div>
</body>

login_check.php

<body>
<?php
    //Establish connection
    include 'connection.php';
//-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    $sql = "SELECT * FROM admins WHERE admin_username = '".mysqli_real_escape_string($conn, $_POST['username'])."' and admin_password = '".mysqli_real_escape_string($conn, $_POST['password'])."'";
    $query = mysqli_query($conn, $sql);
    $result = mysqli_fetch_array($query);
//-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    if(!$result) //Username or Password is invalid!
    {
        ?>
        <div class="container">
            <h1>Username or Password is invalid!</h1>
           <form method="post" action="login.php">
            <button type="submit">Back</button>
           </form>
        </div>
        <?php
    }
    else //Username and Password are valid!
    {
        $_SESSION["admin_id"] = $result["admin_id"];
        $_SESSION["admin_username"] = $result["admin_username"];
        session_write_close();
        header("location:front.php");
    }
    $conn->close();
?>
</body>
php mysql
2个回答
3
投票

要更改为准备好的语句,您只需要

  1. 使用?替换查询中的变量
  2. 准备查询
  3. 将变量绑定到参数
  4. 执行声明

对于您的代码,如下所示:

$sql = "SELECT * FROM admins WHERE admin_username = ? and admin_password = ?";
$stmt = $conn->prepare($sql) or die($conn->error);
$stmt->bind_value("ss", $_POST['username'], $_POST['password']);
$stmt->execute() or die($stmt->error);
$result = $stmt->get_result();

请注意,您不应该在数据库中以纯文本格式存储密码。请查看PHPs password_hashpassword_verify函数以正确处理您的密码。将密码存储在数据库中时,您将使用password_hash,然后验证用户的代码如下所示:

$sql = "SELECT * FROM admins WHERE admin_username = ?";
$stmt = $conn->prepare($sql) or die($conn->error);
$stmt->bind_value("s", $_POST['username']);
$stmt->execute() or die($stmt->error);
$result = $stmt->get_result() or die($stmt->error);
$row = $result->fetch_array();
if (!$row|| !password_verify($_POST['password'], $row['admin_password']) {
    // invalid username or password

0
投票

login_check.php

<?php

    //Establish connection
    include 'connection.php';

    $sql = "SELECT * FROM admins WHERE admin_username = ?";
    $stmt = $conn->prepare($sql);
    $stmt->bind_param("s",$_POST['username']);
    $stmt->execute();
    $result = $stmt->get_result();

    while ($row = $result->fetch_array())
    {
        $hash = password_hash($_POST['password'],PASSWORD_DEFAULT);
        mysqli_query($conn,"UPDATE admins SET admin_password = '$hash' WHERE admin_id='{$row['admin_id']}");
    }

    if(!$row || !password_verify($_POST['password'],$row['admin_password']))
    {
        ?>
        <div class="container">
            <h1>Username or Password is invalid!</h1>
           <form method="post" action="login.php">
                <button style="font-size: 30px" type="submit" class="btn btn-dark"><b>Back</b> <i class="fas fa-arrow-alt-circle-left"></i></button>
           </form>
        </div>
        <?php
    }
    else
    {
        $_SESSION["admin_id"] = $result["admin_id"];
        $_SESSION["admin_username"] = $result["admin_username"];
        session_write_close();
        header("location:front.php");
    }
    $stmt->close();
    $conn->close();
?>
</body>

没有出现语法错误,但我认为有一些错误

=> Qazxswpoi

=> Qazxswpoi

形成这段代码,结果是它总是返回mysqli_query($conn,"UPDATE admins SET admin_password = '$hash' WHERE admin_id ='{$row['admin_id']}");,即使我把有效的ID和密码。

© www.soinside.com 2019 - 2024. All rights reserved.