dongzhang1987 2017-10-14 09:01
浏览 41
已采纳

PHP - mySQL查询中的几个变量

I have a basic login code, where the user enters a username and a password, hits 'Submit', and then a mySQL query checks in the database if the username corresponds to the password.

Here is the query, with 'pseudo' as the username typed by the user and 'mot_de_passe' as the password typed in.

$reponse = $bdd->query('SELECT * FROM user_data WHERE username = '.$_POST['pseudo'].' AND password = '.$_POST['mot_de_passe'].' ');

Without the 'AND...' part, I can check if the username exists, but then when I add the 'AND...' part, the query doesn't work, and the 'AND' is not in the same color as 'SELECT * FROM'and 'WHERE'

I have tried dots, simple quotes, quotes, but nothing changes.

Thanks in advance.

  • 写回答

2条回答 默认 最新

  • duanbaque4230 2017-10-14 09:14
    关注

    You must use " or ' about string in SQL

    $reponse = $bdd->query('SELECT * FROM user_data WHERE username = "'.$_POST['pseudo'].'" AND password = "'.$_POST['mot_de_passe'].'" ');

    And your code can't prevent SQL INJECTION attack.

    Please use prepared statement or bind param.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 linux驱动,linux应用,多线程
  • ¥20 我要一个分身加定位两个功能的安卓app
  • ¥15 基于FOC驱动器,如何实现卡丁车下坡无阻力的遛坡的效果
  • ¥15 IAR程序莫名变量多重定义
  • ¥15 (标签-UDP|关键词-client)
  • ¥15 关于库卡officelite无法与虚拟机通讯的问题
  • ¥15 目标检测项目无法读取视频
  • ¥15 GEO datasets中基因芯片数据仅仅提供了normalized signal如何进行差异分析
  • ¥100 求采集电商背景音乐的方法
  • ¥15 数学建模竞赛求指导帮助