dongyan3616 2015-06-07 17:01
浏览 59
已采纳

如何使用SELECT查询在预准备语句中设置两个值?

What's wrong with my prepared statement? How to set the two values of it? And lastly how many parameter can mysqli_stmt_bind_param() can handle?

    $username = mysqli_real_escape_string($connection, $_POST['username']);
    $password = mysqli_real_escape_string($connection, $_POST['password']);

    $sql = mysqli_prepare($connection, "SELECT username FROM admin WHERE username = ? AND password = ?");
    mysqli_stmt_bind_param($sql, 's', $username);
    mysqli_stmt_bind_param($sql, 's', $password);
    mysqli_stmt_execute($sql);

    $count = mysqli_num_rows($sql);

    if($count == 1)
    {

        $_SESSION['login_user'] = $username;
        header("Location: AdminHome.php");
        exit;
    }
    else
    {
         $msg='Username and Password didnt match';
    }
    mysqli_stmt_close($sql);
    mysqli_close($connection);
  • 写回答

1条回答 默认 最新

  • dougeqiang1619 2015-06-07 17:03
    关注

    You need to bind the parameters all at once (it can handle many parameters):

    $sql = mysqli_prepare($connection, "SELECT username FROM admin WHERE username = ? AND password = ?");
mysqli_stmt_bind_param($sql, 'ss', $username, $password);

    Incidentally, you shouldn't store passwords in your database, but use hashes instead, and then check the password using password_verify: http://php.net/manual/en/function.password-verify.php

    Also, you don't need to escape the strings first: Is mysql_real_escape_string() necessary when using prepared statements?

    Finally, you need to rewrite a few lines:

    mysqli_stmt_execute($sql);
$result = mysqli_stmt_get_result($sql);
$count = mysqli_num_rows($result);
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 乌班图ip地址配置及远程SSH
  • ¥15 怎么让点阵屏显示静态爱心,用keiluVision5写出让点阵屏显示静态爱心的代码,越快越好
  • ¥15 PSPICE制作一个加法器
  • ¥15 javaweb项目无法正常跳转
  • ¥15 VMBox虚拟机无法访问
  • ¥15 skd显示找不到头文件
  • ¥15 机器视觉中图片中长度与真实长度的关系
  • ¥15 fastreport table 怎么只让每页的最下面和最顶部有横线
  • ¥15 java 的protected权限 ,问题在注释里
  • ¥15 这个是哪里有问题啊?