用PDO扩展连接mysql数据库 实现用户登录时防sql注入的处理

PDO扩展连接mysql数据库

<?php
//配置数据库信息
$config= [
     'type'     => $type ?? 'mysql'
    ,'username' => $username ?? 'root'
    ,'password' => $password ?? '123456'
    ,'host'     => $host ?? 'localhost'
    ,'port'     => $port ?? '3306'
    ,'charset'  => $charset ?? 'utf8'
    ,'dbname'   => 'mydb' ];

$dsn = sprintf('%s:host=%s;port=%s;charset=%s;dbname=%s'
        ,$config['type']
        ,$config['host']
        ,$config['port']
        ,$config['charset']
        ,$config['dbname']);

//连接数据库
try {
    $pdo = new PDO($dsn, $config['username'], $config['password']);
} catch (PDOException $e) {
    die('Connection error : ' . $e->getMessage());
}

//接受前端传过来的参数
if ( 'login' == $_POST['a'] ){
$n = isset($_POST['username']) ? $_POST['username'] : null;
$p = isset($_POST['password']) ? $_POST['password'] : null;
$p = md5($p);

//使用预处理，防止sql注入攻击

// 准备预处理sql语句
$sql = "SELECT * FROM `webuser` WHERE `username`= ? and `password` = ? ";

// 准备要执行的语句，并返回语句对象
$stmt = $pdo->prepare($sql);

// 执行一条预处理语句
$stmt->execute(array($n,$p));

//返回结果集
$res = $stmt->fetchAll(PDO::FETCH_ASSOC);

if($res){
    echo '登陆成功';
}else{
    echo '帐号或密码不正确';}
}
?>

<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>用户登录</title>
</head><body>
<form action="" method="POST">
<input type = 'hidden' name = 'a' value = 'login' >
<table border = '1' >
<tr><td>帐号:</td><td><input type = 'text' name = 'username' ></td></tr>
<tr><td>密码:</td><td><input type = 'password' name = 'password' ></td></tr>
<tr><td colspan = '2' style = 'text-align:center'><input type = 'submit' value = '登 陆'></td></tr>
</table></form></body>
</html>