1. 首頁
  2. 問答
  3. 獲取只有一個字段在PHP和mysqli的

獲取只有一個字段在PHP和mysqli的

2017-04-03 47 views
-4

我有以下代碼獲取只有一個字段在PHP和mysqli的

if (isset($_POST['change'])) { 
    $current = mysqli_real_escape_string($con, $_POST['current']); 
    $password = mysqli_real_escape_string($con, $_POST['password']); 
    $cpassword = mysqli_real_escape_string($con, $_POST['cpassword']); 

    if(strlen($password) < 6) { 
     $error = true; 
     $password_error = "Password must be minimum of 6 characters"; 
    } 
    if($password != $cpassword) { 
     $error = true; 
     $cpassword_error = "Password and Confirm Password doesn't match"; 
    } 

    if(mysqli_fetch_field(mysqli_query($con, "SELECT password FROM users WHERE id = '" . $_SESSION['usr_id'] . "' LIMIT 1")) != md5($current)) { 
     $error = true; 
     $confirm_error = "Your actual password is not correct"; 
    } 
}

的問題是在這裏:

mysqli_fetch_field(mysqli_query($con, "SELECT password FROM users WHERE id = '" . $_SESSION['usr_id'] . "' LIMIT 1"))

它給我的錯誤

PHP Catchable fatal error: Object of class stdClass could not be converted to string in /.../password.php on line 27

我曾嘗試與

mysql_result(mysqli_query($con, "SELECT password FROM users WHERE id = '" . $_SESSION['usr_id'] . "' LIMIT 1"), 0)

,但它不工作,它給了我

PHP Fatal error: Uncaught Error: Call to undefined function mysql_result() in /.../password.php:27

我不想使用mysqli_fetch_array()while循環。我搜索了一個功能或類似的東西,我發現了一些東西,但沒有爲我工作。

來源

2017-04-03 FelixFrog

+2

'mysqli_real_escape_string($ con,$ _POST ['password'])'你知道這樣做會適得其反。 –

+0

它可能與'mysqli_fetch_field'無關。轉儲'$ _SESSION ['usr_id']',並分隔你的mysqli_query和mysqli_fetch_field語句。當然,mysql_result不起作用,它不是一個mysqli函數。 – aynber

+0

'我不想使用mysqli_fetch_array()和while循環.' ....爲什麼? –

回答

0

我不認爲這是你最好的解決方案,但基於你問你可能想要使用mysqli_fetch_assoc。

$result = mysqli_query($con, "SELECT password FROM users WHERE id = '" . $_SESSION['usr_id'] . "' LIMIT 1"); 
$row = mysqli_fetch_assoc($result); 

if($row['password']!= md5($current)) { 
     $error = true; 
     $confirm_error = "Your actual password is not correct"; 
}

在下面的註釋中提到您應該使用參數化查詢。對於用戶密碼使用密碼哈希庫像http://www.openwall.com/phpass/或內置password_hash功能在PHP 5> = 5.5.0,PHP 7

要參數當前的查詢,並避免可能出現的SQL注入攻擊嘗試下面的代碼。

$mysqliConnection = new mysqli("localhost", "my_user", "my_password", "my_dbname"); 

/* check connection */ 
if ($mysqliConnection->connect_errno) { 
    echo "Failed to connect to MySQL: (" . $mysqliConnection->connect_errno . ") " . $mysqliConnection->connect_error; 
} 

$sql = "SELECT password FROM users WHERE id = ? LIMIT 1"; 
$stmt = $mysqliConnection->prepare($sql); 
$stmt->bind_param("i", $_SESSION['usr_id']); 
$stmt->execute(); 
$stmt->bind_result($password); 
$stmt->store_result(); 
$row = $stmt->fetch()

現在您可以使用$ password變量來檢查您使用的密碼散列。我希望這有幫助。

來源

2017-04-03 14:52:44

+0

它看起來像我誤解了問題並得到了downvoted理由。你願意解釋爲什麼這樣我才能說出來改進? –

+0

如果您發佈的答案沒有準備好的陳述[您可能想在發佈之前考慮這一點](http://meta.stackoverflow.com/q/344703/)。另外[一個更有價值的答案來自於顯示OP的正確方法](https://meta.stackoverflow.com/a/290789/1011527)。 –

+0

***你真的不應該使用[MD5密碼哈希](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure)***,你真的應該使用PHP的[built-在函數中](http://jayblanchard.net/proper_password_hashing_with_PHP.html)來處理密碼安全性。在散列之前,請確保你[不要越過密碼](http://stackoverflow.com/q/36628418/1011527)或使用其他任何清理機制。這樣做*更改密碼並導致不必要的附加編碼。 –

0

你需要閱讀的文檔mysqli_fetch_field()

Returns the definition of one column of a result set as an object. Call this function repeatedly to retrieve information about all columns in the result set.

此功能不會在結果集中的一列返回,它返回有關列元數據。像列名,表名,數據類型,最大長度等

如果您捕捉領域和轉儲吧,你看:

$passhash = mysqli_fetch_field(mysqli_query($con, "SELECT password FROM users WHERE id = '" . $usr_id . "' LIMIT 1")); 
print_r($passhash);

輸出:

stdClass Object 
(
    [name] => password 
    [orgname] => password 
    [table] => users 
    [orgtable] => users 
    [def] => 
    [db] => test 
    [catalog] => def 
    [max_length] => 32 
    [length] => 65535 <-- I used TEXT for the password column 
    [charsetnr] => 8 
    [flags] => 16 
    [type] => 252 
    [decimals] => 0 
)

請注意,它作爲對象返回,而不是標量值。所以你不能直接比較你的md5($current)。它甚至沒有你正在尋找的價值。

這是我會怎麼寫你正在試圖做的代碼:

$sql = "SELECT password FROM users WHERE id = ? LIMIT 1"; 
$stmt = mysqli_prepare($con, $sql); 
$stmt->bind_param($stmt, "i", $_SESSION['usr_id']); 
$stmt->execute(); 
$result = $stmt->get_result(); 
$match = false; 
while ($row = $result->fetch_assoc()) { 
    if ($row['password'] == md5($current) { 
     $match = true; 
    } 
} 
if (!$match) { 
    $error = true; 
    $confirm_error = "Your actual password is not correct"; 
}

你其他錯誤:

Call to undefined function mysql_result()

mysql_result()功能已被棄用,它已經在PHP 7被刪除。它不會與mysqli_query()一起工作,因爲它是不同API的一部分,並且這兩個API不會混合使用。

mysqli_result(注意mysqli,而不是mysql)是資源類的名稱,而不是函數。

來源

2017-04-03 16:52:21

 相關問題

  • 暫無相關問題^_^