doubairan4213 2015-07-19 18:13
浏览 44
已采纳

无法使用PDO连接到MySQL服务器[重复]

This question already has an answer here:

I'm trying to prevent SQL injection using PDO, but I can't seem to connect. This is the working version - not SQL injection safe:

<html>
    <head>
    <title>Insert data into database</title>
    </head>
    <body>
    <?php


    session_start();
    $_SESSION['name'] = $_POST['name'];

    // Connect to database server
    mysql_connect("localhost", "********", "********") or die(mysql_error());

    // Select database
    mysql_select_db("mydatabase") or die(mysql_error());

    // The SQL statement is built

    $strSQL = "INSERT INTO mytable(name) VALUES('" . $_POST["name"] . "')";

    // The SQL statement is executed 
    mysql_query($strSQL) or die (mysql_error());



    // Close the database connection
    mysql_close();

    echo "Your name is " . $_POST["name"] ; 

    ?>

    </body>
    </html>

This is working just fine. I read these pages on how to use PDO to protect against SQL injection attacks:

http://www.w3schools.com/php/php_mysql_connect.asp

http://www.w3schools.com/sql/sql_injection.asp

and wrote the following code following the guideline:

<html>
    <head>
    <title>Insert data into database</title>
    </head>
    <body>
    <?php


    session_start();
    $_SESSION['name'] = $_POST['name'];

    $servername = "localhost";
    $username = "********";
    $password = "********";

    try {
        $conn = new PDO("mysql:host=$servername, dbname=mydatabase", $username, $password);
        // set the PDO error mode to exception
        $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
        echo "Connected successfully";
        }
    catch(PDOException $e)
        {
        echo "Connection failed: " . $e->getMessage();
        }

    echo "You have connected to the database server with PDO"

    // The SQL statement is built
    $stmt = $dbh->prepare("INSERT INTO mytable (name)
    VALUES (:name)");
    $stmt->bindParam(':name', $_POST['name']);
    $stmt->execute();


    // Close the database connection
    mysql_close();

    echo "Your name is " . $_POST["name"] ; 

    ?>

    </body>
    </html>

But this code just gives me a blank page - no error message and nothing inserted into the database.

I also tried doing the connection as described in

http://www.stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php

but the result was the same - a blank page without error messages.

What am I doing wrong?

</div>
  • 写回答

1条回答 默认 最新

  • dongzhuo3376 2015-07-19 18:19
    关注

    You're using the wrong variable for $stmt = $dbh->prepare

    which should be $conn and not $dbh as per your connection.

    Having used error reporting, would have signabled an undefined variable dbh notice/warning.

    You also can't use mysql_close(); with PDO as you are mixing APIs, which you can't do.

    See Example #3 Closing a connection of "Connections and Connection" in the manual http://php.net/manual/en/pdo.connections.php

    Another thing session_start(); is best to be above anything. You may be outputting before header.

    Edit: You forgot a semi-colon in this line:

    echo "You have connected to the database server with PDO"

    which should read as

    echo "You have connected to the database server with PDO";

    which will break your code.

    Error reporting would also have caught that syntax/parse error.

    Add error reporting to the top of your file(s) which will help find errors.

    <?php 
error_reporting(E_ALL);
ini_set('display_errors', 1);

// rest of your code

    Sidenote: Error reporting should only be done in staging, and never production.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥30 截图中的mathematics程序转换成matlab
  • ¥15 动力学代码报错,维度不匹配
  • ¥15 Power query添加列问题
  • ¥50 Kubernetes&Fission&Eleasticsearch
  • ¥15 報錯:Person is not mapped,如何解決?
  • ¥15 c++头文件不能识别CDialog
  • ¥15 Excel发现不可读取的内容
  • ¥15 关于#stm32#的问题:CANOpen的PDO同步传输问题
  • ¥20 yolov5自定义Prune报错,如何解决?
  • ¥15 电磁场的matlab仿真