迁移到mysqli [英] Moving to mysqli

问题描述

当人们发现我的mysql代码时，我一直被激怒了，因此我决定迁移到mysqli:-)

I have decided to move over to mysqli as I keep getting flamed when people spot my mysql code :-)

有人可以验证以下内容是否正确，但一切正常，但是我只想确保在进入本网站的其余部分之前，我没有做任何愚蠢的事情或存在安全隐患. 这是用于登录时用户名/密码检查的php.

Could someone verify the below is correct, it all works but I just want to make sure I am not doing something stupid or presenting a security risk before I move onto the rest of the site. This is the php for username/password check on login.

<?php
//Start session
session_start();

//Include database connection details
require_once('db_connect.php');

//Array to store validation errors
$errmsg_arr = array();

//Validation error flag
$errflag = false;


// cleanup POST variables
$username = mysqli_real_escape_string($mysqli, stripslashes(trim($_POST['username'])));
$password = mysqli_real_escape_string($mysqli, stripslashes(trim($_POST['password'])));

//Input Validations
if($username == '') {
    $errmsg_arr[] = 'Username required';
    $errflag = true;
}
if($password == '') {
    $errmsg_arr[] = 'Password required';
    $errflag = true;
}

//If there are input validations, redirect back to the login form
if($errflag) {
    $_SESSION['ERRMSG_ARR'] = $errmsg_arr;
    session_write_close();
    header("location: logon.php");
    exit();
}

//Load and run query
$result = mysqli_query($mysqli, "SELECT * FROM auth WHERE username='$username' AND password='$password'");

if ($result->num_rows) {
//Login Successful
        session_regenerate_id();
        //Set session variables
        $member = $result->fetch_assoc();
        $_SESSION['SESS_MEMBER_ID'] = $member['ID'];
        $_SESSION['SESS_USERNAME'] = $member['username'];
        $_SESSION['SESS_FIRST_NAME'] = $member['fname'];
        $_SESSION['SESS_PASSWORD'] = $member['password'];
        $_SESSION['SESS_AUTH_LEVEL'] = $member['auth_level'];
        session_write_close();
        header("location: index");
        exit();
    }else {
        //Login failed
        $errmsg_arr[] = 'user name or password not found';
        $errflag = true;
        if($errflag) {
            $_SESSION['ERRMSG_ARR'] = $errmsg_arr;
            session_write_close();
            header("location: logon.php");
            exit();
        }
    }
mysqli_close($mysqli); 
?>

非常感谢！

推荐答案

好吧，由于您没有执行 static ，因此您想在此处使用准备好的语句 SQL查询-这就是mysqli_query()的用途.

Well, you would want to use prepared statements here, because you're not executing a static SQL query - that's what mysqli_query() is to be used for.

因此，这是您需要做的:

So, here's what you would need to do:

1. 不要理会// cleanup POST variables部分.
2. 更改//Load and run query部分以使用准备好的语句.

3. 首先，我们要准备它: http://php.net /manual/en/mysqli.prepare.php

1. Don't bother with the // cleanup POST variables section.
2. Change the //Load and run query section to use a prepared statement.

3. First, we want to prepare it: http://php.net/manual/en/mysqli.prepare.php

$query = mysqli_prepare($mysqli, "SELECT * FROM auth WHERE username=? AND password=?");

然后我们要给Mysqli什么?标记为: http://www.php.net/manual/zh/mysqli-stmt.bind-param.php

Then we want to give Mysqli what the ? marks are: http://www.php.net/manual/en/mysqli-stmt.bind-param.php

$query->bind_param('ss', $username, $password);

然后，使用bind_result和fetch(请参见中的索引http://www.php.net/manual/zh/class.mysqli-stmt.php )以获取结果并将其存储到会话变量中.

Then, use bind_result and fetch (see index at http://www.php.net/manual/en/class.mysqli-stmt.php) to get the result and store into the session variables.

这篇关于迁移到mysqli的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！