简单的PHP登录页面帮助 - PHP，MySql，HTML

Question

我正尝试使用PHP/Html/MySql创建一个简单的登录/注册表单。我已经成功创建了注册表单（提交给我的数据库），但是我不太确定如何执行部分日志。以下是我迄今为止所尝试的。

我有两个模型，除了我的Database.php模型（持有数据库连接），客户端Data.php和ClientDataSet.php 一个login.php页面和一个login.phtml页面。

ClientData.php如下：

 <?php 
    require_once('Models/Database.php'); 
    require_once ('Models/ClientDataSet.php'); 

    class ClientData { 

    private $email, $password; 

    public function __construct($dbRow) { 
    $this->email = $dbRow['Email']; 
    $this->password = $dbRow['Password']; 
    }  

    public function getEmail() { 
    return $this->email; 
    } 

    public function getPassword() { 
    return $this->password; 
    } 
} 

ClientDataSet.php

 <?php 
require_once('Models/Database.php'); 
require_once ('Models/ClientData.php'); 

class ClientDataSet{ 
protected $_dbHandle, $_dbInstance; 

public function __construct() { 
    $this->_dbInstance = Database::getInstance(); 
    $this->_dbHandle = $this->_dbInstance->getdbConnection(); 
}   

    public function createClient($email, $password){ 
     $sqlQuery='INSERT INTO mydatabase_Client (Email, Password,) VALUES ('.  "'$email'".','. "'$password'".')'; 

    //echo $sqlQuery;// useful check to see what Query has been created 

    $statement = $this->_dbHandle->prepare($sqlQuery); // prepare a PDO statement 
    $statement -> execute(); 
    } 

    public function fetchClient($email, $password){ 
     $sqlQuery='SELECT * FROM mydatabase_Client WHERE (Email='. "'$email'".', Password='. "'$password'".')'; 

    //echo $sqlQuery;// useful check to see what Query has been created 

    $statement = $this->_dbHandle->prepare($sqlQuery); // prepare a PDO statement 
    $statement -> execute(); 
    } 
} 

的login.php

 <?php 
require_once('Models/Database.php'); 
require_once('Models/ClientData.php'); 
require_once('Models/ClientDataSet.php'); 
session_start(); 

$view = new stdClass(); 
$view->pageTitle ='Login'; 

if(isset($_POST['submit'])) {  
     $clientDataSet= new ClientDataSet(); 
     $clientDataSet->fetchClient($_POST['Email'], $_POST['Password']); 
} ?> 

<?php 

require_once('Views/login.phtml'); 

login.phtml

<?php require('template/header.phtml') ?> 
<h3>Login Page</h3> 
<p>If you have not already Registered. <a href="register.php">Register Here.</a></p> 
    <p><strong>Login</strong> using your <strong>email address</strong> and password.</p> 
    <table class="inputtable"> 
     <tr> 
      <td class="label">Email:</td> 
      <td class="inputtd"> 
       <input name="Email" type="email" class="standardwidth" /></td> 
     </tr> 
     <tr> 
      <td class="label">Password:</td> 
      <td class="inputtd"> 
       <input name="Password" type="password" class="standardwidth" /></td> 
     </tr> 
    </table> 
    <div> 
     <input type="submit" value="Login" name="submit"/> <input type="reset" value="Reset" name="reset"/> 
    </div> 

Answer 1

首先，不要串联字符串来构建查询。在mysql中使用PDO时，应该使用参数绑定。你创建你的SQL语句的方式让你无法接受SQL注入攻击。

在这里看到：现在How can I prevent SQL injection in PHP?

，到您的实际问题：你是不是使用HTML表单。您必须将输入元素封装在表单中，并使用正确的表单参数，否则浏览器将不会向服务器发送任何数据。

它会是这个样子：

<form name="login" action="html_form_action.php" method="post"> 

延伸阅读：HTML forms