{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 萌系小妹纸 的问题《Moving to mysqli [closed]》','https://www.manongdao.com/q-697071.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have decided to move over to mysqli as I keep getting flamed when people spot my mysql code :-)
Could someone verify the below is correct, it all works but I just want to make sure I am not doing something stupid or presenting a security risk before I move onto the rest of the site. This is the php for username/password check on login.
<?php
//Start session
session_start();
//Include database connection details
require_once('db_connect.php');
//Array to store validation errors
$errmsg_arr = array();
//Validation error flag
$errflag = false;
// cleanup POST variables
$username = mysqli_real_escape_string($mysqli, stripslashes(trim($_POST['username'])));
$password = mysqli_real_escape_string($mysqli, stripslashes(trim($_POST['password'])));
//Input Validations
if($username == '') {
$errmsg_arr[] = 'Username required';
$errflag = true;
}
if($password == '') {
$errmsg_arr[] = 'Password required';
$errflag = true;
}
//If there are input validations, redirect back to the login form
if($errflag) {
$_SESSION['ERRMSG_ARR'] = $errmsg_arr;
session_write_close();
header("location: logon.php");
exit();
}
//Load and run query
$result = mysqli_query($mysqli, "SELECT * FROM auth WHERE username='$username' AND password='$password'");
if ($result->num_rows) {
//Login Successful
session_regenerate_id();
//Set session variables
$member = $result->fetch_assoc();
$_SESSION['SESS_MEMBER_ID'] = $member['ID'];
$_SESSION['SESS_USERNAME'] = $member['username'];
$_SESSION['SESS_FIRST_NAME'] = $member['fname'];
$_SESSION['SESS_PASSWORD'] = $member['password'];
$_SESSION['SESS_AUTH_LEVEL'] = $member['auth_level'];
session_write_close();
header("location: index");
exit();
}else {
//Login failed
$errmsg_arr[] = 'user name or password not found';
$errflag = true;
if($errflag) {
$_SESSION['ERRMSG_ARR'] = $errmsg_arr;
session_write_close();
header("location: logon.php");
exit();
}
}
mysqli_close($mysqli);
?>
Many thanks!
Well, you would want to use prepared statements here, because you're not executing a static SQL query - that's what
mysqli_query()is to be used for.So, here's what you would need to do:
// cleanup POST variablessection.//Load and run querysection to use a prepared statement.First, we want to prepare it: http://php.net/manual/en/mysqli.prepare.php
$query = mysqli_prepare($mysqli, "SELECT * FROM auth WHERE username=? AND password=?");Then we want to give Mysqli what the ? marks are: http://www.php.net/manual/en/mysqli-stmt.bind-param.php
$query->bind_param('ss', $username, $password);Then, use
bind_resultandfetch(see index at http://www.php.net/manual/en/class.mysqli-stmt.php) to get the result and store into the session variables.