错误:*分析错误:语法错误,第9行出现意外的T_VARIABLE*<--仍然给我同样的错误。。
PHP
<?php
#connect mysql
require_once "dbcred.php";
$dbh = testdb_connect ();
session_start();
$username = $_POST['regduser'];
$userpass = md5($_POST['regdpass']);
$sql = $pdo->prepare("SELECT * from Students WHERE regduser=:username and regdpass=:pass");
$sql->bindParam(':username', $username)
$sql->bindParam(':pass', $userpass)
$sql->execute();
$result = mysql_query($sql);
if (mysql_num_rows($result)!= 1) {
$error = "Login failed";
#include "loginform.php";
} else {
echo "<h1>exists</h1>";
#$_SESSION['regduser'] = "$username";
#$_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
// any other data needed to navigate the site or
// to authenticate the user can be added here
#include "membersection.php";
}
?>
dbcred.php
<?php
# pdo_testdb_connect.php - function for connecting to the "test" database
function testdb_connect ()
{
$dbh = new PDO("mysql:host=localhost;dbname=#", "root", "");
return ($dbh);
}
?>
HTML:
<form action="inc/check_regUsr.php" method="post" id="userLogon">
<div class="field required">
Username: <input type="text" name="regduser" tabindex="1" /><br />
</div>
<div class="field required">
Password: <input type="text" name="regdpass" tabindex="2" /><br />
</div>
<input type="submit" name="submitUser" />
</form>
$sql = $dbh->prepare("SELECT * from Students WHERE regduser=:username and regdpass=:pass");
$sql->bindParam(':username', $username)
$sql->bindParam(':pass', $userpass)
$sql->execute();
Bobby Tables PHP。
如果您已经使用了PDO,那么请使用参数化查询来利用转义。此外,在查询中使用单引号并将字符串括起来。对字符串使用双引号,在查询中使用单引号,因为按照现在的方式,您已经在第一个单引号之后终止了字符串。
您需要在查询(句点(中放入字符串串联语法:
$sql = $pdo->prepare('SELECT * from Students WHERE regduser="'.addslashes($username).'" and regdpass="'.addslashes($userpass).'"');
您也可以在字符串中使用双引号,这意味着变量将在字符串中被替换。
$username = addslashes($username);
$sql = $pdo->prepare("SELECT * from Students WHERE regduser='$username' and regdpass='$userpass'");
我也转义了您的变量,您需要确保在查询中使用数据之前始终转义用户的数据,或者使用PDO用问号(?(
您需要将字符串放在双引号中。PHP认为该语句在第二个单引号字符处终止。
像这样:$sql=$pdo->prepare("SELECT*from Students WHERE regduser='$username'and regdpass='$userpass'"(;
您使用字符串串联的方式不对。第9行应该是这样的:
$sql = $pdo->prepare("SELECT * from Students WHERE regduser='$username' and regdpass='$userpass'");
或者这个,如果你想使用单引号:
$sql = $pdo->prepare('SELECT * from Students WHERE regduser='''.$username.''' and regdpass='''.$userpass.'''");
您的字符串构造已损坏:
$sql = $pdo->prepare('SELECT * from Students WHERE regduser='$username' and regdpass='$userpass'');
^--start string ^---end string
试试这个:
$sql = $pdo->prepare("SELECT * from Students WHERE regduser='$username' and regdpass='$userpass'");
^--double quote ^---ditto