当我在phpMyAdmin:中这样做时,我得到了一个结果
SELECT password, block FROM jml_users WHERE username = "user01"
然而,在我的PHP代码中,脚本找不到我的用户。我的$stmt->bind_param("s", $unsafe_user);有什么问题吗?
我也尝试过$stmt->bind_param("s", "user01");,但没有成功。
<?
include("dbinfo.php");
$unsafe_user = "user01";
$mysqli = new mysqli($loginURL, $dbusername, $dbpassword, $database);
LoginCheck();
// Kill connection
$thread_id = $mysqli->thread_id; // determine our thread id
$mysqli->kill($thread_id);
$mysqli->close();
function LoginCheck()
{
global $mysqli, $unsafe_user;
//Perpare Statement.
//if($stmt = $mysqli->prepare("SELECT password, block FROM jml_users WHERE (username) VALUES (?)")) // this returns false for some reason
if($stmt = $mysqli->prepare("SELECT password, block FROM jml_users WHERE username = ?")) //works, still safe form sql injection?
{
$stmt->bind_param("s", $unsafe_user);
$stmt->execute();
$stmt->bind_result($dbpw, $bdblock);
if($stmt->num_rows == 0)
{
echo "could not find user";
}
// Found user
else
{
echo "found user";
}
$stmt->close();
}
else
{
echo "Statement creation did not succeed";
}
}
?>
您注释掉的第一个查询是无效的MYSQL语法。这种类型的语法用于插入。
另外,除非在$stmt->execute();之后使用$stmt->store_result();,否则num_rows将无法使用准备好的语句。
请在文档中检查此答案。