Lucrez la un website cu login si panou de administrare si as vrea sa stiu daca am codat corect folosind prepared statements. Mai jos este codul.
connect.php
Cod: Selectaţi tot
<?php
try {
$conn = new PDO('mysql:host=localhost;dbname=name', 'user', '');
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}
catch(PDOExpetion $e) {
echo $e->getMessage();
die();
}
<?
login.php
Cod: Selectaţi tot
<?php
ob_start();
include('connect.php');
session_start();
if (isset($_POST['login_btm']))
{
$username = $_POST['user'];
$pass = $_POST['pass'];
$sql = "SELECT * FROM users WHERE username=:username AND pass=:pass";
$query = $conn->prepare($sql);
$query->execute(array(
':username' => $username,
':pass' => $pass
));
$rows = $query->fetch();
if($query->rowCount())
{
$_SESSION['id']=$rows['id_user'];
$_SESSION['username']=$username;
header('location: overview.php');
}
else
{
$_SESSION['message'] = 'Username/parola gresit/a';
header('Location: index.php');
exit();
}
?>
Exista (si) alta metoda pentru a evita SQL Injection?