尝试使用准备好的语句更新数据库中的字段

igetnqfo  于 2021-06-18  发布在  Mysql
关注(0)|答案(1)|浏览(358)

我已经在这一整天,在搜索了许多网站(包括这一个)后,我得出的结论是,我的问题没有被问之前可能是由于我的无能。
我在这里有一个准备好的声明,我想更新我的密码字段在我的数据库取决于用户名和电子邮件,它是更新和不插入的原因是因为它的一部分,我的安全不批准网站摄影师,直到他们已经被发送了一个链接

<?php
if (isset($_POST['approved-photographer'])) {
    require 'dbh.php';

    $username  = $_POST['username'];
    $email     = $_POST['mail'];
    $password  = $_POST['password'];
    $password2 = $_POST['password-repeat'];

    if (empty($username) || empty($email) || empty($password) || 
        empty($password2)) 
    {
        header("location:signup.php?error=emptyfields&username=" . $username 
    . "&mail=.$email");
        exit();
     } elseif ($password !== $password2) {
        header("location:approvedphoto.php?error=passwordcheck&username=" . 
        $username . "&mail=" . $email);
        exit();
    } else {
        $sql = "SELECT Password 
                FROM photographers 
                WHERE Username= '$username' 
                AND Email= '$email'";

    $stmt = mysqli_stmt_init($conn);
    if (!mysqli_stmt_prepare($stmt, $sql)) {
        header("location:approvedphoto.php?error=sqlerror");
        exit();
    } else {
        $sql = "INSERT INTO photographers (Password) VALUES (?)";
        $stmt = mysqli_stmt_init($conn);
        if (!mysqli_stmt_prepare($stmt, $sql)) {
            header("location:approvedphoto.php?error=sqlerror2");
            exit();
        } else {
            $hashedpwd = password_hash($password, PASSWORD_DEFAULT);

            mysqli_stmt_bind_param($stmt, "s", $hashedpwd);
            mysqli_stmt_execute($stmt);
            header("location:signin.php?signup=success");
            exit();
        }
        }
        }
        }

任何帮助都将不胜感激。谢谢你的阅读

0g0grzrc

0g0grzrc1#

mysqli用法的简单答案是没有绑定参数,可以使用 mysqli_stmt_bind_param (未来的读者,这最后一句话现在是不相关的编辑)。总的来说,编辑后的sql语句似乎不清楚,通常您要么更新密码(在这种情况下,您需要 WHERE 子句,这样您就不会更新每个人的密码),或者您应该使用密码插入一个新用户。
这是一个或多或少切题的答案,但我想把我的帽子扔进戒指的使用 PDO (而不是mysqli)。mysqli只使用一种数据库风格mysql。此外,它还允许一个面向对象的解决方案来处理数据库交互。下面是一个如何通过pdo实现这一点的示例:

//specifies the driver, ip/database etc. Swap out for your ip and database used
$driverStr = 'mysql:host=<ip>;dbname=<database>;charset=utf8';
//you can set some default behaviors here for your use, I put some examples
//I left a link below so you can see the different options
$options = [
    //spew exceptions on errors, helpful to you if you have php errors enabled
    PDO::ATTR_ERRMODE            => PDO::ERRMODE_EXCEPTION,
    PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
    PDO::ATTR_EMULATE_PREPARES   => false,
];

//substite what you need for username/password here as well, $options can be omitted
$conn = new PDO($driverStr, '<username>', '<password>', $options);

链接到上述属性
既然我们已经建立了联系:

//I used a "named parameter", e.g. :password, instead of an anonymous parameter
$stmt = $conn->prepare("UPDATE Photographers SET password = :password WHERE Username = :username");

//with our prepared statement, there's a few ways of executing it

//1) Using #bind*
//there's also #bindValue for not binding a variable reference
//for params, PARAM_STR is default and can be safely omitted
$stmt->bindParam(':password', $password, PDO::PARAM_STR);
$stmt->bindParam(':username', $username);
$stmt->execute();

//2) Using execute directly
$stmt->execute(['password' => $password, 'username' => $username]);

然后,如果语句是一个查询,而不仅仅是一个数据库更新/插入,我们就可以简单地检索语句的结果。通过使用#bindparam,您还可以更新变量的值,并根据需要重新执行语句,这对于其他语句可能很有用。

//see #fetch and #fetchAll's documentation for the returned data formatting
$results = $stmt->fetchAll(PDO::FETCH_OBJ); //return it as a php object
$results = $stmt->fetch(PDO::FETCH_NUM)[0]; //unsafely retrieve the first value as a number

这些年来,我发现这比任何一个 mysqli_* 甚至是被否决的 mysql_* 方法。

相关问题