doubairan4213 2015-07-19 18:13
浏览 44
已采纳

无法使用PDO连接到MySQL服务器[重复]

This question already has an answer here:

I'm trying to prevent SQL injection using PDO, but I can't seem to connect. This is the working version - not SQL injection safe:

<html>
    <head>
    <title>Insert data into database</title>
    </head>
    <body>
    <?php


    session_start();
    $_SESSION['name'] = $_POST['name'];

    // Connect to database server
    mysql_connect("localhost", "********", "********") or die(mysql_error());

    // Select database
    mysql_select_db("mydatabase") or die(mysql_error());

    // The SQL statement is built

    $strSQL = "INSERT INTO mytable(name) VALUES('" . $_POST["name"] . "')";

    // The SQL statement is executed 
    mysql_query($strSQL) or die (mysql_error());



    // Close the database connection
    mysql_close();

    echo "Your name is " . $_POST["name"] ; 

    ?>

    </body>
    </html>

This is working just fine. I read these pages on how to use PDO to protect against SQL injection attacks:

http://www.w3schools.com/php/php_mysql_connect.asp

http://www.w3schools.com/sql/sql_injection.asp

and wrote the following code following the guideline:

<html>
    <head>
    <title>Insert data into database</title>
    </head>
    <body>
    <?php


    session_start();
    $_SESSION['name'] = $_POST['name'];

    $servername = "localhost";
    $username = "********";
    $password = "********";

    try {
        $conn = new PDO("mysql:host=$servername, dbname=mydatabase", $username, $password);
        // set the PDO error mode to exception
        $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
        echo "Connected successfully";
        }
    catch(PDOException $e)
        {
        echo "Connection failed: " . $e->getMessage();
        }

    echo "You have connected to the database server with PDO"

    // The SQL statement is built
    $stmt = $dbh->prepare("INSERT INTO mytable (name)
    VALUES (:name)");
    $stmt->bindParam(':name', $_POST['name']);
    $stmt->execute();


    // Close the database connection
    mysql_close();

    echo "Your name is " . $_POST["name"] ; 

    ?>

    </body>
    </html>

But this code just gives me a blank page - no error message and nothing inserted into the database.

I also tried doing the connection as described in

http://www.stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php

but the result was the same - a blank page without error messages.

What am I doing wrong?

</div>
  • 写回答

1条回答 默认 最新

  • dongzhuo3376 2015-07-19 18:19
    关注

    You're using the wrong variable for $stmt = $dbh->prepare

    which should be $conn and not $dbh as per your connection.

    Having used error reporting, would have signabled an undefined variable dbh notice/warning.

    You also can't use mysql_close(); with PDO as you are mixing APIs, which you can't do.

    See Example #3 Closing a connection of "Connections and Connection" in the manual http://php.net/manual/en/pdo.connections.php

    Another thing session_start(); is best to be above anything. You may be outputting before header.

    Edit: You forgot a semi-colon in this line:

    echo "You have connected to the database server with PDO"
    

    which should read as

    echo "You have connected to the database server with PDO";
    

    which will break your code.

    Error reporting would also have caught that syntax/parse error.

    Add error reporting to the top of your file(s) which will help find errors.

    <?php 
    error_reporting(E_ALL);
    ini_set('display_errors', 1);
    
    // rest of your code
    

    Sidenote: Error reporting should only be done in staging, and never production.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥20 如何解决访问网址被屏蔽的情况
  • ¥15 本地运行的vue2项目,使用内网穿透,前端界面一直转圈圈
  • ¥20 powerbuilder datawindow控件导出Excel数据,可不可以不自动覆盖原数据,而是在后面新插入入数据。
  • ¥100 无轴承永磁同步电机控制
  • ¥15 eps里添加本地倾斜模型
  • ¥15 telegram 问题
  • ¥15 nrf52810-c三个a 程序
  • ¥50 求一个半透明没有锯齿的圆角窗体的实现例子
  • ¥15 STM32cubeMX里的FreeRTOS无法释放内存
  • ¥15 CATIA有些零件打开直接单机确定终止