日期:2014-05-16 浏览次数:20568 次
面向对象的思想在PHP5中得到更为广泛的应用,这里我们仅实现一个简单的db_class的数据库操作类来实现登录验证:
db_class.php类的实现代码:
<?php class dbclass { public $connection ; public $result ; public $fetch_num ; function connect_db($host,$user,$password) { if(($this->connection = mysql_connect($host,$user,$password)) == FALSE) { die("Cannot connect to the database . error code:".mysql_error()); } } function select_db($dbname,$connection) { if(mysql_select_db($dbname,$connection)==FALSE) { die("Cannot to select the database . Error code:".mysql_error()); } } function db_query($sql) { $result = mysql_query($sql); if($result == FALSE){ die("mysql_query execute error . Error code : ".mysql_error()); } $this->result = $result ; } function fetch_num($result) { $this->fetch_num = mysql_num_rows($result); } } ?>
登录验证:login.php
<?php session_start(); ?>
<?php
require_once("config.php");
require_once("dbclass.php");
if(count($_POST)>0)
if(isset($_POST["username"])&&isset($_POST["password"])){
$my_db_class = new dbclass();
$my_db_class->connect_db(HOST,USER,PASSWD);
$my_db_class->select_db(DB,$my_db_class->connection);
$sql = sprintf("SELECT * FROM users WHERE user_name = '%s' AND user_pwd = '%s'" , mysql_real_escape_string($_POST["username"]),mysql_real_escape_string($_POST["password"]));
$my_db_class->db_query($sql);
$my_db_class->fetch_num($my_db_class->result);
if($my_db_class->fetch_num == 1)
{
$_SESSION["YES"] = TRUE ;
$host = $_SERVER["HTTP_HOST"] ;
$path = dirname($_SERVER["PHP_SELF"]);
header("Location:http://$host$path/home.php");
}
}
?>
<html>
<head>
<title>Login web</title>
</head>
<body>
<?php if(count($_POST)>0) echo "Invalid_login"; ?>
<form method="post" action="<?php echo $_SERVER["PHP_SELF"] ?>">
<table>
<tr>
<td>Username:</td>
<td><input type="text" name="username" value="<?php echo $_POST["username"] ?>"/></td>
</tr>
<tr>
<td>Password:</td>
<td><input type="password" name="password"/></td>
</tr>
<tr>
<td><input type="submit" value="Submit"/></td>
</tr>
</table>
</form>
</body>
<html>
这里有几个需要注意的地方:
1. 创建一个类的实例: $my_db_class = new dbclass() ;
2. 操作类中的属性或者函数: $my_db_class->result(属性) ; $my_db_class->connect_db(HOST,USER,PASSWD)(方法);
3. 进行数据库操作时防止SQL注入:$sql = sprintf("SELECT * FROM users WHERE user_name = '%s' AND user_pwd = '%s' " , mysql_real_escape_string($_POST["username"]) , mysql_real_escape_string($_POST["password"])) ;
注意:
从安全角度来考虑,我们并没有执行数据库查询后得出一个哈希表的 $row 值, 再来比较是否等于 username 和 password , 即:
if ( ($row["user_name"]==$_POST["username"])&&($row["user_pwd"]==$_POST["password"]) )