簡單的PHP登錄頁面幫助 - PHP，MySql，HTML

Question

我正嘗試使用PHP/Html/MySql創建一個簡單的登錄/註冊表單。我已經成功創建了註冊表單（提交給我的數據庫），但是我不太確定如何執行部分日誌。以下是我迄今爲止所嘗試的。

我有兩個模型，除了我的Database.php模型（持有數據庫連接），客戶端Data.php和ClientDataSet.php 一個login.php頁面和一個login.phtml頁面。

ClientData.php如下：

 <?php 
    require_once('Models/Database.php'); 
    require_once ('Models/ClientDataSet.php'); 

    class ClientData { 

    private $email, $password; 

    public function __construct($dbRow) { 
    $this->email = $dbRow['Email']; 
    $this->password = $dbRow['Password']; 
    }  

    public function getEmail() { 
    return $this->email; 
    } 

    public function getPassword() { 
    return $this->password; 
    } 
} 

ClientDataSet.php

 <?php 
require_once('Models/Database.php'); 
require_once ('Models/ClientData.php'); 

class ClientDataSet{ 
protected $_dbHandle, $_dbInstance; 

public function __construct() { 
    $this->_dbInstance = Database::getInstance(); 
    $this->_dbHandle = $this->_dbInstance->getdbConnection(); 
}   

    public function createClient($email, $password){ 
     $sqlQuery='INSERT INTO mydatabase_Client (Email, Password,) VALUES ('.  "'$email'".','. "'$password'".')'; 

    //echo $sqlQuery;// useful check to see what Query has been created 

    $statement = $this->_dbHandle->prepare($sqlQuery); // prepare a PDO statement 
    $statement -> execute(); 
    } 

    public function fetchClient($email, $password){ 
     $sqlQuery='SELECT * FROM mydatabase_Client WHERE (Email='. "'$email'".', Password='. "'$password'".')'; 

    //echo $sqlQuery;// useful check to see what Query has been created 

    $statement = $this->_dbHandle->prepare($sqlQuery); // prepare a PDO statement 
    $statement -> execute(); 
    } 
} 

的login.php

 <?php 
require_once('Models/Database.php'); 
require_once('Models/ClientData.php'); 
require_once('Models/ClientDataSet.php'); 
session_start(); 

$view = new stdClass(); 
$view->pageTitle ='Login'; 

if(isset($_POST['submit'])) {  
     $clientDataSet= new ClientDataSet(); 
     $clientDataSet->fetchClient($_POST['Email'], $_POST['Password']); 
} ?> 

<?php 

require_once('Views/login.phtml'); 

login.phtml

<?php require('template/header.phtml') ?> 
<h3>Login Page</h3> 
<p>If you have not already Registered. <a href="register.php">Register Here.</a></p> 
    <p><strong>Login</strong> using your <strong>email address</strong> and password.</p> 
    <table class="inputtable"> 
     <tr> 
      <td class="label">Email:</td> 
      <td class="inputtd"> 
       <input name="Email" type="email" class="standardwidth" /></td> 
     </tr> 
     <tr> 
      <td class="label">Password:</td> 
      <td class="inputtd"> 
       <input name="Password" type="password" class="standardwidth" /></td> 
     </tr> 
    </table> 
    <div> 
     <input type="submit" value="Login" name="submit"/> <input type="reset" value="Reset" name="reset"/> 
    </div> 

Answer 1

首先，不要串聯字符串來構建查詢。在mysql中使用PDO時，應該使用參數綁定。你創建你的SQL語句的方式讓你無法接受SQL注入攻擊。

在這裏看到：現在How can I prevent SQL injection in PHP?

，到您的實際問題：你是不是使用HTML表單。您必須將輸入元素封裝在表單中，並使用正確的表單參數，否則瀏覽器將不會向服務器發送任何數據。

它會是這個樣子：

<form name="login" action="html_form_action.php" method="post"> 

延伸閱讀：HTML forms