如何将mysql函数转换为现代PDO

Question

我有一个登录系统，我一直在使用mysql函数，如real_escape_strings等。但现在我试图将其转换为PDO，因为它比mysql功能更现代。现在的问题是它不适用于PDO。以下是我的代码，请告诉我我该做什么错了。

<?php 
try { 
$con = new PDO('mysql:host=localhost;dbname=tish_database;charset=utf8','root',''); 

} catch(PDOException $e){ 
echo 'Connection failed'.$e->getMessage(); 
} 

?> 
<?php 
$is_ajax = $_POST['is_ajax']; 
    if(isset($is_ajax) && $is_ajax) 

    { 
$username =(isset($_POST['username']))? trim($_POST['username']): ''; 
$Password=(isset($_POST['Password']))? $_POST['Password'] : ''; 
$redirect=(isset($_REQUEST['redirect']))? $_REQUEST['redirect'] : 
'view.php'; 
$query ='SELECT username FROM tish_user WHERE '. 
'username="'.($username,$con).'" AND ' . 
    'Password = md5("'.($Password,$con).'")'; 
    $result = $con->prepare($query); 
    $result->execute(); 
     if(count($result)>0) 
     { 
     $_SESSION['username']=$username; 
$_SESSION['logged'] = 1; 
      echo "success"; 
     } 
     else { 
//set these explicitly just to make sure 

} 
    } 

?> 

Answer 1

删除所有无用的代码

<?php 
$con = new PDO('mysql:host=localhost;dbname=tish_database;charset=utf8','root',''); 

if(!empty($_POST['is_ajax'])) 
{ 
    $sql = 'SELECT id FROM tish_user WHERE username=? AND Password = md5(?)'; 
    $stm = $con->prepare($sql); 
    $stm->execute(array($_POST['username'],$_POST['Password'])); 
    if($row = $stm->fetch()) 
    { 
     $_SESSION['id'] = $row['id']; 
    } 
} 
?> 

后，你需要太检查字母大小写。大写'密码'看起来很可疑。最好选择一个标准（全部小写），并按照它无处不

这是我在How prepared statements can protect from SQL injection attacks?问题解释它是如何工作

Answer 2

$query ='SELECT username FROM tish_user WHERE username=? AND Password = md5(?))'; 
$result = $con->prepare($query); 
$result->execute(array($username, $password)); 

这将自动跳脱字符串为您服务。