这个 MySQL 查询有什么问题？ （使用 PDO）

Question

这是我第一次尝试使用命名占位符，所以我确定我在某处有语法错误......我只是没有看到它。我按照我找到的here 的指示进行操作。如果密码与 $pass 匹配，我希望数组 $authResults 包含具有 $user 信息的行。

如果我的查询只是SELECT * FROM user 它可以工作。显然，这在生产环境中是行不通的。 :-)

这是我目前所拥有的：

$user= "Test";
$pass= "ba6c064dfdb1b7b4938bf82585a8332c89270303b6d75007f0b25feffe33b90bd34d3732acf4be708c85708c39ff6c28b87235663238b8fbfe2c4439258cc883";

$db = new PDO('mysql:host=localhost;dbname=test;charset=utf8', 'admin', 'pass');
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

//query database to see if username/password match up
$authQuery = $db->prepare("SELECT * FROM user WHERE username=:usr AND password=:pwd");  // search for username and password
$authQuery->bindValue(':usr', $user, PDO::PARAM_STR);
$authQuery->bindValue(':pwd', $pass, PDO::PARAM_STR);
$authQuery->execute();
$authResults = $authQuery->fetchAll(PDO::FETCH_ASSOC);


echo "<br><br>authResults:<pre>";
print_r($authResults);
echo "</pre>";

想法？

这是在我的文件末尾回显的输出：

authResults:
Array
(
)

没有错误消息。 PHP 变量或 MySQL 查询是否有字符限制？

Answer 1

这只是意味着您的查询没有匹配任何内容。请注意您的用户/通行证如何存储在您的表中。

Answer 2

为了回答您提出的关于您将如何处理的问题：

// simple database structure
CREATE TABLE usrpwdkeys(
  usr TINYBLOB NOT NULL,
  pwd TINYBLOB NOT NULL
)ENGINE=INNODB;
INSERT usrpwdkeys VALUES ('C@x9H7^nb*','a_MF8B2&bx');
CREATE TABLE usrpwd(
  pk BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
  usr BLOB NOT NULL,
  pwd BLOB NOT NULL
)ENGINE=INNODB;

// put your database connection on a secure page - restricted/connect.php
<?php
function db(){
  return new mysqli('host', 'username', 'password', 'database');
}

// putting the results into the database - newuser.php
<?php
$error = '';
if(isset($_POST['sub']) && !empty($_POST['user']) && !empty($_POST['pass'])){
  include_once 'restricted/connect.php'; $db = db();
  if($db->connect_error)die('connection failed');
  $upk = $db->query('SELECT * FROM usrpwdkeys'); $kys = $upk->fetch_row();
  $upk->free(); $usr = $db->real_escape_string(trim($_POST['user']));
  $pwd = sha1(md5($usr).$db->real_escape_string(trim($_POST['pass'])).'a5cJ');
  $uxs = $db->query("SELECT pk FROM usrpwd WHERE usr=AES_ENCRYPT('$usr','$upk[0]')");
  if($uxs->num_rows > 0){
    $error = 'Username in Use'; // error on password shows too much
  }
  elseif($db->query("INSERT usrpwd (usr,pwd) VALUES (AES_ENCRYPT('$usr','$upk[0]'), AES_ENCRYPT('$pwd','$upk[1]'))")){
    header('LOCATION:wherever.php'); // goes to other page
  }
  else{
    die('problem');
  }
  $uxs->free(); $db->close();
}
// Should be much more complex than just this - HTML structure should be below

// simple login - login.php
session_start(); $error = '';
if(isset($_POST['sub']) && !empty($_POST['user']) && !empty($_POST['pass'])){
  include_once 'restricted/connect.php'; $db = db();
  if($db->connect_error)die('connection failed');
  $upk = $db->query('SELECT * FROM usrpwdkeys'); $kys = $upk->fetch_row();
  $upk->free(); $usr = $db->real_escape_string(trim($_POST['user']));
  $pwd = sha1(md5($usr).$db->real_escape_string(trim($_POST['pass'])).'a5cJ');
  $log = $db->query("SELECT pk FROM usrpwd WHERE usr=AES_ENCRYPT('$usr','$upk[0]') && pwd=AES_ENCRYPT('$pwd','$upk[1]')");
  if($log->num_rows > 0){
    $_SESSION['log'] = 'Ao@8a!45'; $_SESSION['usr'] = $usr;
    header('LOCATION:wherever.php'); // goes to other page that should retest against database
  }
  else{
    $error = 'Invalid Password and/or Username';
  }
  $log->free(); $db->close();
}
// once again should be way more complex

当然，您可能希望对用户名和密码使用正则表达式。 PHPglue 库可以处理大部分（如果不是全部） Stick Form 正则表达式错误处理。