几年前我经常使用 PHP,最近决定更新我的技能,我正在尝试构建一个论坛网站,我在使用新的 PDO 方法插入从用户收集的数据时遇到了问题回到 table 上。我使用旧的 mysql 方法(据我所知,从 PHP 5.5 版本开始已弃用)的代码是
$sql = "INSERT INTO
users(user_name, user_pass, user_email ,user_date, user_level)
VALUES('" . mysql_real_escape_string($_POST['user_name']) . "',
'" . sha1($_POST['user_pass']) . "',
'" . mysql_real_escape_string($_POST['user_email']) . "',
NOW(),
0)";
$result = mysql_query($sql);
if(!$result)
{
//something went wrong, display the error
echo 'Something went wrong while registering. Please try again later.';
//echo mysql_error(); //debugging purposes, uncomment when needed
}
else
{
echo 'Successfully registered. You can now <a href="signin.php">sign in</a> and start posting! :-)';
}
}
}
查找等效的 PDO 方法,我得到此代码
<?php
$stmt = $db->prepare("INSERT INTO table(field1,field2,field3,field4,field5) VALUES(:field1,:field2,:field3,:field4,:field5)");
$stmt->execute(array(':field1' => $field1, ':field2' => $field2, ':field3' => $field3, ':field4' => $field4, ':field5' => $field5));
$affected_rows = $stmt->rowCount();
所以将两者放在一起我得到了这个(或者至少我认为我做到了)
$stmt = $db - > prepare("INSERT INTO users(user_name, user_pass, user_email, user_date, user_level)
VALUES('" . ($_POST['user_name ']) . "','" . sha1($_POST['user_pass ']) . "','" . ($_POST['user_email ']) . "',NOW(),0)");
$stmt - > execute(array(':user_name' => $user_name, ':user_pass' => $user_pass, ':user_email' => $user_email, ':user_date' => $user_date, ':user_level' => $user_level));
//$affected_rows = $stmt->rowCount();
if (!$result) {
//something went wrong, display the error
echo 'Something went wrong while registering. Please try again later.';
//echo mysql_error(); //debugging purposes, uncomment when needed
} else {
echo 'Successfully registered. You can now <a href="signin.php">sign in</a> and start posting! :-)';
}
但是,当我运行它时,我尝试更新的每个字段都会收到一系列“ undefined variable ”错误
我的托管提供商确实允许我使用现在不受支持的 PHP 版本运行旧代码,但我认为这是不安全的并且容易受到 SQL 注入(inject)的攻击,因此作为(重新)学习经验的一部分,我想我会尝试弄清楚找出新的做事方式。
非常感谢任何帮助。
最佳答案
您正在尝试应用准备好的语句,但以错误的方式执行,这就是您需要的:
$user_name = $_POST['user_name'];
$user_pass = password_hash($_POST['user_pass'], PASSWORD_BCRYPT);
$user_email = $_POST['user_email'];
$user_date = time();
$user_level = 0;
$stmt = $db->prepare("INSERT INTO
users(user_name, user_pass, user_email ,user_date, user_level)
VALUES(:user_name, :user_pass, :user_email, :user_date, :user_level)");
$stmt->execute(array(':user_name' => $user_name, ':user_pass' => $user_pass, ':user_email' => $user_email, ':user_date' => $user_date, ':user_level' => $user_level));
//$affected_rows = $stmt->rowCount();
if(!$result)
{
//something went wrong, display the error
echo 'Something went wrong while registering. Please try again later.';
//echo mysql_error(); //debugging purposes, uncomment when needed
}
else
{
echo 'Successfully registered. You can now <a href="signin.php">sign in</a> and start posting! :-)';
}
执行语句将数组中的每个键与查询中相应的占位符绑定(bind)。您可能还想对密码哈希函数进行一些研究
关于php - 使用 PDO 更新 msql 方法,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/49083562/