未定義的變量：num

Question

我想創建一個簡單的登錄系統，我查詢用戶提供的用戶名是否存在於數據庫中。但是我在取回rowcount時遇到了問題。我一直在獲取不確定的變量num： error.I也嘗試過使用，

$num = $stmt->rowCount(); 

但然後我得到了調用一個成員函數rowCount時（）一個非對象error.I很新的PHP和web開發，這讓我感到困惑，我不要不知道如何讓它工作，有人可以幫我嗎？這裏是db.php文件的代碼

<?php 
require "config.php"; 


function DBconnect($config) { 
    try { 
     $conn = new PDO('mysql:host=localhost;dbname=' . $config['database'], 
         $config['username'], 
         $config['password']); 

     $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); 

     return $conn; 
    } catch(Exception $e) { 
     return false; 
    } 
} 

function query($query, $bindings, $conn) { 
    $stmt = $conn->prepare($query); 
    $stmt->execute($bindings); 

    return $stmt; 
} 

這裏是index.php文件的代碼，它是登錄頁面。

<?php 

// Allow sessions to be passed so we can see if the user is logged in 
session_start(); 

// include the necessary files 
require "db.php"; 
require "functions.php"; 
include "index.view.php"; 


//conect to the database so we can check, edit or ,data to our users table 
$conn = DBconnect($config); 

// if the user has submitted the form 
if($_SERVER["REQUEST_METHOD"] === "POST") { 

    //protect the posted value then store them to variables 
    $username = protect($_POST["username"]); 
    $password = protect($_POST["password"]); 

    //Check if the username or password boxes were not filled in 
    if (!$username || !$password){ 
     // if not display an error message. 
     echo "You need to fill in a username and password!"; 
    }else 
     // if correct continue cheking 

     //select all the rows where the username and password match the ones submitted by the user 
     query( "SELECT * FROM users WHERE username = :username", 
       array("username" => $username), 
       $conn); 
     $num = $stmt->fetchColumn(); 


     //check if there was not a match 
     if($num == 0) { 
      //if not display an error message 
      echo "The username you entered does not exist!"; 
     }else{ 
      //if there was a mactch continue chekcing 

      //select all rows where the username and password match the ones submitted by the user 
      query("SELECT * FROM users WHERE username =:username && password = :pasword", 
        array("username" => $username, "password" => $password), 
        $conn); 
      $num = $stmt->fetchColumn();  

      //check if there was not a match 
      if($num == 0) { 
       //if not display error message 
       echo "Username and password do not mactch"; 
      }else { 
       //if there was continue checking 

       //split all the fields from the correct row into an associative array 
       $row = $user->fetch(PDO::FETCH_ASSOC); 
       //check to see if the user has not activated their account 
       if($row["active"] != 1) { 
        //if not display an error message 
        echo "You have not yet activated your account!"; 
       }else { 
        //if so then log them in 

        // set the login session storing their id. We use this to 
        // see if they are logged in or not. 
        $_SESSION["uid"] = $row["id"]; 
        //show message confirming that they are loggd in 
        echo "You have succesfully logged in!"; 
        //update the online field to 50 seconds in the future 
        $time = date("u")+50; 
        query("UPDATE users SET online = :time WHERE id = :id", 
          array("time" => $time, "id" => $_SESSION["uid"]), 
          $conn); 
        //redirect them to the usersonline page 
        header("Location: usersOnline.php"); 
       } 
      } 


    } 
}   

Answer 1

你錯過了搶$stmt爲query()返回值。切換到來電：

$stmt = query(....); 
$num = $stmt->rowCount(); 

---

請注意，它被認爲是不安全作出詳細通知有關

• 的用戶名是錯誤的
• 的密碼是錯誤的
• 兩者是錯誤。

如果這樣做，攻擊者很容易獲得有效的用戶名。擁有用戶名的Onece需要更少的努力才能獲得有效帳戶的密碼。

另外，我不會使用rowCount()，因爲行數不會被每個數據庫驅動程序返回。因此，如果您曾經使用過不同的數據庫，代碼可能會失敗。

變化THG查詢：

SELECT count(*) AS number_of_rows, * FROM users WHERE username =:username && password = :pasword" 

...然後取出從結果集 'NUMBER_OF_ROWS'：

if (!$username || !$password){ 
    // if not display an error message. 
    echo "You need to fill in a username and password!"; 
}else 

    //select the number of rows where the username and password match the ones submitted by the user 
    query( "SELECT count(*) as number_of_records, * FROM users WHERE username = :username AND password = :password", 
      array("username" => $username, "password" => "$password"), 
      $conn); 
    $record = $stmt->fetch(); 
    if($record['number_of_records'] !== '1') { 
     echo 'wrong username and/or password'; 
    } 
} 

此外應注意：DO絕不會存儲未加密的密碼數據庫中的

取而代之，你應該存儲密碼散列鹽漬單向散列函數如sha1或md5。爲了簡潔起見，我不會在這裏舉一個例子。我會谷歌這個或要求提出另一個問題。

Answer 2

您的query()函數返回一個語句，但您不保存您調用它的返回值。

變化

query(.....); 

到

$stmt = query(.....); 

Answer 3

我無法忍受這樣臃腫的代碼。 所以，這裏是一個正確的版本，沒有所有無用的和不必要的錯誤代碼：

if($_SERVER["REQUEST_METHOD"] == "POST") { 
    $sql = "SELECT id,active FROM users WHERE username=? && password=?"; 
    $stm = query($sql, array($_POST["username"], $_POST["password"]), $conn); 
    $row = $stm->fetch(PDO::FETCH_ASSOC); 
    if(!$row) { 
     echo "Username and password do not mactch"; 
    } elseif($row["active"] != 1) { 
     echo "You have not yet activated your account!"; 
    } else { 
     $_SESSION["uid"] = $row["id"]; 
     $time = date("u")+50; 
     $sql = "UPDATE users SET online=? WHERE id=?"; 
     query($sql, array($time, $row["id"]), $conn); 
     header("Location: usersOnline.php"); 
     exit; 
    } 
}