我是参与查询的新手。请在usercheck中帮助这个。我正在给我的程序。我想使用参数化查询使用我的数据库登录页面。请帮助我。谢谢你提前
<html>
<form name="usercheck" method="post" action="newuser.php">
username: <input type="text" name="uname"> <br><br>
password:<input type="password" name="pswd"><br><br>
<input type="submit" value="Login">
</form>
<?php
session_start();
if (isset($_post['uname'])) {
$uname = $_post['uname'];
$pswd = $_post["pswd"];
$con = mysqli_connect("localhost", "root", "happy123$", "cbanktb");
$query = "select * FROM banktable where username=? and password=?";
$stmt = mysqli_prepare($con, $query);
If ($stmt) {
mysqli_stmt_bind_param($stmt, "s", $uname, $pswd);
mysqli_stmt_bind_result($stmt, $dbusername, $dbpassword);
mysqli_stmt_execute($stmt);
mysqli_stmt_fetch($stmt);
#$result=mysqli_query($con,"select * from banktable where acno='$aid'");
#$row = mysqli_fetch_row($result);
#echo $row[0]." ".$row[1]." ".$row[2]." ".$row[3]." ".$row[4];
#$balance=$row[3];
echo "You are logged in";
} else {
echo "You are not $dbusername";
}
}
?>
</html>
答案 0 :(得分:1)
使用参数化mysqli_* prepare statement Or PDO
<html>
<form name="usercheck" method="post" action="newuser.php">
username: <input type="text" name="uname"> <br><br>
password:<input type="password" name="pswd"><br><br>
<input type="submit" value="Login" name="form_submit" >
</form>
<?php
session_start();
if (isset($_post['form_submit'])) {
$uname = $_post['uname'];
$pswd = $_post["pswd"];
$con = mysqli_connect("localhost", "root", "happy123$", "cbanktb") or die("Connection failed: " . mysqli_connect_error());
$query = "select * FROM banktable where username=? and password=?";
$stmt = $con->prepare($query);
$stmt->bind_param('ss',$uname,$pswd);
The argument may be one of four types:
i - integer
d - double
s - string
b - BLOB
//change it by respectively
$stmt->execute();
$row_count= $stmt->affected_rows;
$stmt->close();
$con->close();
if($row_count>0)
{
echo "successfully logged in";
//setting session here
}
else
{
echo "Login failed";
}
}
?>
</html>