gpt4 book ai didi

php - PDO - fatal error : Call to a member function fetch() on a non-object

转载 作者:行者123 更新时间:2023-12-03 00:56:14 24 4
gpt4 key购买 nike

如果我尝试运行以下 PHP 代码,我会得到一个

Call to a member function fetch() on a non-object.

你知道为什么吗?我在另一个网站上使用相同的代码,它运行得很好。

<?php
$username = ($_GET ['user']);
try {
$dbh = new PDO("mysql:host=localhost;dbname=***", '***', '***');
} catch (PDOException $e) {
echo $e->getMessage();
}
$sth = $dbh->query( "SELECT user, captcha
FROM xf_captcha WHERE user='$username'" );
print_r($sth->fetch());
?>
<小时/>

编辑:

$sth = $dbh->query( "SELECT username, user_state, last_activity, alerts_unread, conversations_unread, message_count 
FROM xf_user WHERE username='$user'" );
$row = $sth->fetch();
<小时/>

编辑2:

这看起来安全吗?我应该采取更多措施吗?

<?php
$username = ($_GET ['user']);
try {
$dbh = new PDO("mysql:host=localhost;dbname=***", '***', '***');
} catch (PDOException $e) {
echo $e->getMessage();
}
$sth = $dbh->prepare("SELECT username, captcha, timestamp
FROM xf_captcha
WHERE username = :username", array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY));
$sth->execute(array(':username' => $username));
print_r($sth->fetch());
?>

最佳答案

您的代码在问题的顶部有变量 $username,但在底部有 $user

您可能想使用相同的变量吗?

$username = ($_GET ['user']);
$sth = $dbh->query( "SELECT username, user_state, last_activity, alerts_unread, conversations_unread, message_count
FROM xf_user WHERE username='$user'" );
// ^^ Should this ALSO be $username ?
$row = $sth->fetch();

编辑:好的,现在你只是在用你的 PDO::ATTR_EMULATE_PREPARES 来表现可爱。观察这一点:

数据库和表结构:

Database changed
mysql> show tables
-> ;
+----------------+
| Tables_in_prep |
+----------------+
| users |
+----------------+
1 row in set (0.00 sec)

mysql> select * from users;
+----+---------+--------+
| id | userid | pass |
+----+---------+--------+
| 1 | Fluffeh | mypass |
+----+---------+--------+
1 row in set (0.00 sec)

以及从您的代码复制的一些 PHP 代码,并添加了 PDO 属性:

<?php
//$username = ($_GET ['user']);
$username="Fluffeh";

$dbh = new PDO('mysql:host=localhost;dbname=prep', 'prepared', 'example');
$dbh->setAttribute(PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_OBJ);

$sth = $dbh->query( "SELECT userid, pass FROM users WHERE userid='$username'" );
echo "Trying to use $username.\n";
print_r($sth->fetch());
echo "----------------------------------------\n\n";
?>

<?php
//$username = ($_GET ['user']);
$username="user2693017";

$dbh = new PDO('mysql:host=localhost;dbname=prep', 'prepared', 'example');
$dbh->setAttribute(PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_OBJ);

$sth = $dbh->query( "SELECT userid, pass FROM users WHERE userid='$username'" );
echo "Trying to use $username.\n";
print_r($sth->fetch());
echo "----------------------------------------\n\n";
?>

<?php
//$username = ($_GET ['user']);
$username="Oh my' or 1=1 or 'm=m";

$dbh = new PDO('mysql:host=localhost;dbname=prep', 'prepared', 'example');
$dbh->setAttribute(PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_OBJ);

$sth = $dbh->query( "SELECT userid, pass FROM users WHERE userid='$username'" );
echo "Trying to use $username.\n";
print_r($sth->fetch());
echo "----------------------------------------\n\n";
?>

<?php
//$username = ($_GET ['user']);
$username="(select id from users limit 1)";

$dbh = new PDO('mysql:host=localhost;dbname=prep', 'prepared', 'example');
$dbh->setAttribute(PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_OBJ);

$sth = $dbh->query( "SELECT userid, pass FROM users WHERE id='$username'" );
echo "Trying to use $username.\n";
print_r($sth->fetch());
echo "----------------------------------------\n\n";
?>

<?php
//$username = ($_GET ['user']);
// Changed this one to be a non-string, you might be checking an ID instead.
$username="(select id from users limit 1)";

$dbh = new PDO('mysql:host=localhost;dbname=prep', 'prepared', 'example');
$dbh->setAttribute(PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_OBJ);

$sth = $dbh->query( "SELECT userid, pass FROM users WHERE id=$username" );
echo "Trying to use $username.\n";
print_r($sth->fetch());
echo "----------------------------------------\n\n";
?>

<?php
//$username = ($_GET ['user']);
$username="bob'; drop table users; \
";
// This one is tricker to do in PHP code. I could easily enter this into a text field however.

$dbh = new PDO('mysql:host=localhost;dbname=prep', 'prepared', 'example');
$dbh->setAttribute(PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_OBJ);

//$sth = $dbh->query( "SELECT userid, pass FROM users WHERE id='$username'" );
echo "Trying to use $username.\n";
print_r($sth->fetch());
echo "----------------------------------------\n\n";
?>

输出:

    Trying to use Fluffeh.
stdClass Object
(
[userid] => Fluffeh
[pass] => mypass
)
----------------------------------------


Trying to use user2693017.
----------------------------------------


Trying to use Oh my' or 1=1 or 'm=m.
stdClass Object
(
[userid] => Fluffeh
[pass] => mypass
)
----------------------------------------


Trying to use (select id from users limit 1).
----------------------------------------


Trying to use (select id from users limit 1).
stdClass Object
(
[userid] => Fluffeh
[pass] => mypass
)
----------------------------------------


Trying to use bob'; drop table users; \
.
----------------------------------------

哦,我把最后一个留到最后的原因是我的数据库中现在有这个输出:

mysql> show tables;
Empty set (0.00 sec)

是的,没错,我刚刚掉了一张 table 。让我再说一遍,我有一个 select 语句,通过一点技巧,我在文本字段中输入了任何人都可以在文本字段中执行的值,并删除了您的表。

现在,当然,如果您设置正确,您可能会为 select 语句设置不同的用户,并且只授予他们从数据库中选择的权限,以阻止这种情况事情正在发生 - 但说实话......你不是吗?

显然设置模拟是不够的。说真的,现在请走吧read that answer ,如果您希望代码安全,请使用准备好的语句并使用参数。

关于php - PDO - fatal error : Call to a member function fetch() on a non-object,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/19017682/

24 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com