PHP从select返回id
PHP从select返回id
提问于 2011-10-13 20:52:53
一段简单的PHP代码:
#login.php
$_SESSION['valid_user_id'] = getUserId($username, $password);
#user_auth_fns.php
function getUserId($username, $password)
{
$username = addslashes($username);
$username = mysql_real_escape_string($username);
$password = addslashes($password);
$password = mysql_real_escape_string($password);
$conn = db_connect();
$result = $conn->query("select id from user where username='$username' and password= sha1('$password')");
if (!$result) {
throw new Exception('Could not retrieve your user id.');
}
if ($result->num_rows > 0) {
return $result;
} else {
throw new Exception('Could not retrieve your user id.');
}
}"return $result“是错误的,但是我不知道应该放什么才能返回某个用户的id。PHP手册也没有提供答案。我知道这个函数是有效的,因为替换
通过return“$result”返回测试
按预期返回正确的值。
回答 6
Stack Overflow用户
回答已采纳
发布于 2011-10-13 20:58:26
$result只包含结果行的对象。要访问数据,您需要从result中获取行。
使用mysqli库:
$result = $conn->query("select id from user where username='$username' and password= sha1('$password')");
$row = $result->fetch_object(); // or $row = $result->fetch_array();
return $row->id;通过使用数组的mysql库:
$result = $conn->query("select id from user where username='$username' and password= sha1('$password')");
$row = $result->fetch_assoc();
return $row['id'];Stack Overflow用户
发布于 2011-10-13 20:58:36
if ($result->num_rows > 0) {
$row = mysql_fetch_row($result);
return $row['id'];
} else {
throw new Exception('Could not retrieve your user id.');
} 我会像这样重写整个函数:
function getUserId($username, $password)
{
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$conn = db_connect();
$result = $conn->query("SELECT id FROM user
WHERE username = '$username'
AND password = sha2(CONCAT(user.salt,'$password'),512)");
if (!$result) {
throw new Exception('Could not retrieve your user id.');
}
if ($result->num_rows > 0) {
$row = mysql_fetch_row($result);
return $row['id'];
} else {
throw new Exception('Could not retrieve your user id.');
}
} 防止XSS的
在从数据库回显任何值之前,对其进行清理:
echo htmlentities($row['username']);确保对这些散列加盐,否则就不能保证的安全
请注意,您需要向用户表中添加一个名为SALT的新字段。
ALTER TABLE user ADD COLUMN salt INTEGER NULL default NULL;因为密码是散列的,所以您需要时间来转换它们,请使用以下代码插入新条目:
INSERT INTO user (username, salt, password)
SELECT '$username', @salt, SHA2(CONCAT(@salt,'$password'),512)
FROM DUAL CROSS JOIN (SELECT @salt:= FLOOR(RAND()*99999999)) q;并使用以下代码测试有效密码:
SELECT id, COALESCE(salt,-1) as salt FROM user
WHERE username = '$username'
AND CASE WHEN salt IS NULL
THEN password = SHA1('$password)
ELSE password = SHA2(CONCAT(salt,'$password'),512) END;当salt结果为-1时,像这样更新用户表。
UPDATE user
CROSS JOIN (SELECT @salt:= FLOOR(RAND()*99999999)) q
SET salt = @salt, password = SHA2(CONCAT(@salt,'$username'),512); Stack Overflow用户
发布于 2011-10-13 20:57:11
来自php.net
// Use result
// Attempting to print $result won't allow access to information in the resource
// One of the mysql result functions must be used
// See also mysql_result(), mysql_fetch_array(), mysql_fetch_row(), etc.
while ($row = mysql_fetch_assoc($result)) {
echo $row['firstname'];
echo $row['lastname'];
echo $row['address'];
echo $row['age'];
}页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/7754423
复制相关文章
相似问题
腾讯云开发者
