这两行PHP代码的含义是什么? [英] What's the meaning of these two lines of PHP code?

问题描述

如果用户在登录页面的密码"和登录"字段中输入正确的信息，则我目前正在编写脚本来登录用户.该脚本可以正常运行，但是我实际上不知道这两行代码对整体用户体验的意义和作用.

I'm currently programming a script to login the user if the user types the right information in the Password- and Login-field on a login page. The script is working just fine, but I don't actually know what these two lines of code means and does for the overall user experience.

我即将参加考试，我必须解释代码的含义，如果你们通过解释下面两行代码的作用来帮助我，那将是绝对令人惊讶的.这是完整的脚本:

I'm soon going to an exam where I have to explain the meaning of the code, and it would be absolutely amazing if you guys helped me out by explaining what the two lines of code does below. This is the full script:

<?php  

require('db_connect.php');

if (isset($_POST['user_id']) and isset($_POST['user_pass'])) {

    $username = $_POST['user_id'];
    $password = $_POST['user_pass'];

    $query = "SELECT * FROM dataforlogin WHERE username='$username' and password='$password'";

    $result = mysqli_query($connection, $query) or die(mysqli_error($connection));
    $count = mysqli_num_rows($result);

    if ($count == 1) {

        header("location: ../staudal/dashboard/index.php");

    } else {

        echo "Fail";

  }
}

?>

我难以理解的两行代码是:

The two lines of code that I'm having trouble understanding is:

$result = mysqli_query($connection, $query) or die(mysqli_error($connection));
$count = mysqli_num_rows($result);

他们做什么，为什么?

推荐答案

这是一个好问题，因为根据现代安全性和应用程序设计标准，这些行大多是错误的或无用的.在两行代码中可能出现如此多的错误之前，这从未发生在我身上.

That's a good question because these lines are mostly wrong or useless according to the modern standards of security and application design. It never occurred to me before there could be so much wrong in just two lines of code.

• mysqli_query()将您的查询发送到MySQL服务器.但是，这不是的方式，您运行带有变量的mysql查询.必须使用准备好的声明代替
• die(mysqli_error($ connection))旨在在查询执行失败时停止代码执行并显示mysql错误(尤其是 or die()确实如此)许多有趣的事情，我都有解释此问题的文章.但是，这不是办法，您报告PHP中的mysql错误.单个必须使用配置选项.从编写的代码量到更好的用户体验，这在许多方面都将是更好的选择.
• mysqli_num_rows($ result)告诉您有多少行返回了查询.本质上无用的功能，您始终可以使用返回的数据
• WHERE username ='$ username'和password ='$ password' 并非如此，您正在数据库中检查密码.必须从数据库中检索哈希密码，然后使用password_verify()函数进行检查

• mysqli_query() sends your query to MySQL server. However, it is not the way you run a mysql query with variables. A prepared statement must be used instead.
• die(mysqli_error($connection)) is intended to stop the code execution if the query execution fails and reveal the mysql error (particularly, or die() does many interesting things, I have an article that explains this. However, it is not the way you report mysql errors in PHP. A single configuration option must be used instead. which will be better in so many ways, from the amount of code written to the better user experience.
• mysqli_num_rows($result) tells you how many rows returned your query. An essentially useless function, you can always use the returned data instead
• WHERE username='$username' and password='$password' is not the way you are checking the password in the database. A hashed password must be retrieved from the database and then checked using password_verify() function

应该是这样

$stmt = $mysqli->prepare("SELECT * FROM dataforlogin WHERE username = ?");
$stmt->bind_param("s", $username);
$stmt->execute();
$result= $stmt->get_result()
$user = $result->fetch_assoc();

if ($user && password_verify($password, $user['password']))
{
    // write some info into the session
    header("location: ../staudal/dashboard/index.php");
    exit;
} else {
    echo "invalid";
}

• 在第一行中，我们正在准备带有问号的sql查询，该问号放置在变量应到达的位置(因此称为占位符).
• 在第二行中，我们将实际变量绑定到占位符，因此它将被发送到与查询分开的mysql服务器，并且它们将无法干预.
• 然后实际执行查询.
• 然后，我们得到了 mysqli_result 变量，该变量对于旧mysql或新mysqli查询的所有用户都是熟悉的-查询返回的实际数据源.
• 然后，我们尝试获取选定的行.
• 然后我们要同时检查两件事，
  • 我们的查询是否返回任何行
  • ，如果是，则从表单发送的密码是否与使用password_verify()函数存储在数据库中的密码相同
  • in the first line we are preparing the sql query with question marks placed where variables should go (so it is called a placeholder).
  • in the second line we are binding the actual variable to the placeholder, so it will be sent to mysql server separated from the query and there will be no way for them to interfere.
  • then the query gets actually executed.
  • then we are getting the mysqli_result variable, familiar to all users of either old mysql or new mysqli query - the actual source of data returned by the query.
  • then we are trying to fetch the selected row.
  • then we are checking two things at once,
    • whether our query returned any row
    • and if so, whether the password sent from the form is the same as one stored in the database using password_verify() function
    • 在重定向用户之前，您应该在会话中写入一些有关他们的信息，以便在其他页面上识别出他们
    • 在发送Location标头后添加 exit 是一个好习惯.
    • before redirecting a user you are supposed to write some information about them into the session, in order to recognize them on other pages
    • it is a good practice to add exit after sending the Location header.

    希望这些解释对您的老师来说足够

    Hope these explanations will be enough for your teachers

    严重的是，这个问题应该提高人们对PHP教育状况的认识.无论是在线还是离线，大多数资源都在教授PHP3，但对于不推荐使用的功能仅作了一些小小的改动.但是这种方法在很多方面都是错误的，但仍然保持不变.

    Seriously, this question should raise awareness about the state of PHP education. Most sources, online and offline, are teaching as though it is still PHP3 around, with only minor face-lifting in regard of deprecated functions. But the approach, which is wrong in so many ways, remains the same.

    这篇关于这两行PHP代码的含义是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！