2018-02-11 17:31
浏览 63


I am trying to create a login page, but I'm having some issues using prepared statements to secure the login. I have the following code:

$sql = "SELECT * FROM users WHERE user_email=?";
$stmt = mysqli_stmt_prepare($db, $sql);
mysqli_stmt_bind_param($stmt, "s", $email);
$result = mysqli_stmt_get_result($stmt);
$resultCheck = mysqli_stmt_num_rows($stmt);

The problem occurs when checking if the result check variable is less than 1. It shouldn't be 0, but it is. I don't understand why, as the database has an email with the value, but when trying to enter that the $resultCheck variable still returns 0. I'm guessing it has to do with the prepared statements.

图片转代码服务由CSDN问答提供 功能建议

我正在尝试创建一个登录页面,但是我在使用预准备语句来保护登录时遇到了一些问题。 我有以下代码:

  $ sql =“SELECT * FROM users WHERE user_email =?”; 
 $ stmt = mysqli_stmt_prepare($ db,$ sql); 
mysqli_stmt_bind_param  ($ stmt,“s”,$ email); 
mysqli_stmt_execute($ stmt); 
 $ result = mysqli_stmt_get_result($ stmt); 
 $ resultCheck = mysqli_stmt_num_rows($ stmt); 

检查结果检查变量是否小于1时会出现问题。它不应该是0,但它应该是。 我不明白为什么,因为数据库的电子邮件的值为 ,但在尝试输入时, $ resultCheck 变量仍返回0。 我猜这与准备好的陈述有关。

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • dongying6896
    dongying6896 2018-02-11 19:05

    The client has no idea how many rows are in the result until they are fetched.

    You can make the client pre-fetch all rows of the result by using mysqli_stmt_store_result(). Then you can use num-rows.

    $sql = "SELECT * FROM users WHERE user_email=?";
    $stmt = mysqli_prepare($db, $sql);
    mysqli_stmt_bind_param($stmt, "s", $email);
    $resultCheck = mysqli_stmt_num_rows($stmt);
    echo "result num_rows = $resultCheck

    This echo correctly produces the answer "1".

    But if you do use store-result, for some reason you can't also use get-result. So you can't use result methods like fetch_assoc — you have to bind_result into variables by reference and use fetch().

    By the way, mysqli_stmt_prepare() takes a statement object as its first argument, not the $db connection. Whereas mysqli_prepare() takes a connection object. Again, a confusing usage of mysqli functions.

    I don't like mysqli. It's hard to use and has confusing traps of inexplicable behavior. I don't like how bind_param and bind_result make my code seem cluttered.

    I prefer using PDO. It's much easier.

    $sql = "SELECT * FROM users WHERE user_email=?";
    $stmt = $pdo->prepare($sql);
    $result = $stmt->fetchAll();
    $rowCount = $stmt->rowCount();
    点赞 评论