我准备好的声明有什么问题吗?它的两个值如何设置呢?最后mysqli_stmt_bind_param()可以处理多少个参数?
$username = mysqli_real_escape_string($connection, $_POST['username']);
$password = mysqli_real_escape_string($connection, $_POST['password']);
$sql = mysqli_prepare($connection, "SELECT username FROM admin WHERE username = ? AND password = ?");
mysqli_stmt_bind_param($sql, 's', $username);
mysqli_stmt_bind_param($sql, 's', $password);
mysqli_stmt_execute($sql);
$count = mysqli_num_rows($sql);
if($count == 1)
{
$_SESSION['login_user'] = $username;
header("Location: AdminHome.php");
exit;
}
else
{
$msg='Username and Password didnt match';
}
mysqli_stmt_close($sql);
mysqli_close($connection);
最佳答案
需要一次性绑定(bind)所有参数(它可以处理很多参数):
$sql = mysqli_prepare($connection, "SELECT username FROM admin WHERE username = ? AND password = ?");
mysqli_stmt_bind_param($sql, 'ss', $username, $password);
顺便说一句,您不应该将密码存储在数据库中,而应使用哈希值,然后使用password_verify检查密码:http://php.net/manual/en/function.password-verify.php
此外,您不需要先转义字符串:Is mysql_real_escape_string() necessary when using prepared statements?
最后,您需要重写几行:
mysqli_stmt_execute($sql);
$result = mysqli_stmt_get_result($sql);
$count = mysqli_num_rows($result);
关于php - 如何使用 SELECT 查询在准备好的语句中设置两个值?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/30696165/