调用未定义的方法PDO :: execute()
问题描述:
我正在尝试对页面登录进行编码,但在此错误下我被阻止了
i'm trying to code a page login but i was stopper at this error
请在这里告诉我错误的事情
pliz tell me the wrong thing here
<?php
@session_start();
include("../../connexion/connexion.php");
class login_class {
public $user;
public $password;
public $connexion;
public function check_login() {
try {
$cn = new class_connect();
$this->connexion = $cn->connect(null);
$result = $this->connexion->execute("select * from user where username='$this->user' and password='$this->password'");
$data = $result->fetchAll(PDO::FETCH_OBJ);
if (!empty($data[0]->id_user)) {
return true;
}else {
return false;
}
}catch(PDOException $ex) {
echo $ex->getMessage();
}
}
public function __construct($user) {
if($user){
$this->user = $user["username"];
$this->password = $user["password"];
}
}
}
?>
答
->execute()适用于准备好的语句.例如
->execute() is for prepared statements. e.g.
$stmt = $dbh->prepare('some query here');
$stmt->execute();
您正在尝试直接在主数据库对象上执行查询.对于PDO,这意味着
You're trying to execute a query directly on the main DB object. For PDO, that means
$dbh->exec('query goes here');
您确实应该研究准备好的语句.您很容易受到 SQL注入攻击的影响,并且由于您使用的是PDO,因此基本上是不可原谅的不要编写安全的查询.
You really should look into prepared statements. You're vulnerable to SQL injection attacks as is, and since you're using PDO to begin with, it's basically unforgivable to NOT be writing safe queries.