[MySqli扩展]①0--预处理语句防止SQL注入

test.php

    


登录页面

    username:
    password:

    

doLogin.php

errno) {
    die('Connect Error ' . $mysqli->error);
}
$mysqli->set_charset('UTF8');
$username = $_POST['username'];
$password = md5($_POST['password']);
$sql = "SELECT * FROM user WHERE username='{$username}' AND password ='{$password}'";
$mysqli_result = $mysqli->query($sql);
if ($mysqli_result && $mysqli_result->num_rows > 0) {
    echo "登录成功";
} else {
    echo "登录失败";
}
?>

Paste_Image.png

Paste_Image.png

Paste_Image.png

预处理语句

errno) {
    die('Connect Error ' . $mysqli->error);
}
$mysqli->set_charset('UTF8');
$username = $_POST['username'];
$password = md5($_POST['password']);
$sql = "SELECT * FROM user WHERE username=? AND password=?";
$mysqli_stmt = $mysqli->prepare($sql);
$mysqli_stmt->bind_param('ss', $username, $password);
if ($mysqli_stmt->execute()) {
    $mysqli_stmt->store_result();
    if ($mysqli_stmt->num_rows > 0) {
        echo "登录成功";
    } else {
        echo "登录失败";
    }
}
//释放结果集
$mysqli_stmt->free_result();
//关闭预处理语句
$mysqli_stmt->close();
//关闭连接
$mysqli->close();
?>

Paste_Image.png