php - 登录验证器检查器 PHP MYSQL

Question

下面是我的“登录检查器”如果我使用旧的传统 mysql 连接，它工作得很好。但是使用 PDO，它似乎不起作用。介意是否有人给我一些提示或对此代码的修改，以便它能够工作？

它给了我这个错误:

Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in C:\xampp\htdocs\clubresults\checklogin.php on line 23

其中第 23 行是 $count=mysql_num_rows($result);谢谢!!

<?php
ob_start();
$tbl_name="admin_passwords"; // Table name 

        $pdo = new PDO('mysql:host=localhost;dbname=clubresults', 'root', '12345678');
    #Set Error Mode to ERRMODE_EXCEPTION.
    $pdo->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);  

// username and password sent from form 
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword']; 

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
$_SESSION["myusername"] = "$myusername";
$_SESSION["mypassword"] = "$mypassword";
header("location:login_success.php");
}
else {

echo "ACCESS DENIED.<br> Incorrect username and/or Password
<br>Please check your username and password. <br> wait five seconds for redirection. ";
}
ob_flush();
?>

Answer 1

您似乎没有充分利用 PDO 并使用参数化语句。

如果是我，我会编写如下代码:

$tbl_name="admin_passwords"; // Table name 

$pdo = new PDO('mysql:host=localhost;dbname=clubresults', 'root', '12345678');
#Set Error Mode to ERRMODE_EXCEPTION.
$pdo->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

$stmt = $pdo->prepare("SELECT * FROM $tbl_name WHERE username = :username AND password = :password");
$stmt->execute(array('username' => $_POST['myusername'], 'password' => $_POST['mypassword']));
if ($stmt->fetch() === false) {
    //access deined
    //....
}
else {
   //access granted
   //...
}

此外，出于安全目的，您应该在数据库中至少使用 sha1(我使用 sha512)对密码进行哈希处理，这样即使您的数据被盗，密码也无法在不付出很大努力的情况下进行逆向工程。

编辑:再看一遍，使用 root 以外的用户访问数据库可能也不错，但这更多是个人喜好。