这里的另一个新手..我正在尝试修复以下代码,以防止sql注入,并学习编写php和sql的新方法。
您的建议将不胜感激。
我修改了这个
<?php class DB_Functions { private $db; function __construct() { require_once 'db_connect.php'; $this->db = new DB_Connect(); $this->db->connect(); } public function getUser($uid, $password) { $result = mysql_query("SELECT * FROM users WHERE id = '$uid' AND pswd = '$password'") or die(mysql_error()); $no_of_rows = mysql_num_rows($result); if ($no_of_rows > 0) { $result = mysql_fetch_array($result); return $result; } else { return false; } } } ?>
为此,我没有得到相同的结果。
<?php class DB_Functions { private $db; function __construct() { require_once 'db_connect.php'; $this->db = new DB_Connect(); $this->db->connect(); } public function getUser($uid, $password) { $sql = $db->prepare("SELECT * FROM users WHERE id=:id AND pswd=:password"); $result = $db->query($sql); $no_of_rows = mysql_num_rows($result); if ($no_of_rows > 0) { $result = mysql_fetch_array($result); return $result; } else { return false; } } } ?>
您不能将mysql与mysqli或PDO混合使用。您需要查看错误日志,因为这不可能实现-您应该看到大量致命错误。
public function getUser($uid, $password) { $stmt = $db->prepare("SELECT * FROM users WHERE id=? AND pswd=?"); $stmt->execute(array($uid, $password)); return $stmt->fetch(); }
