PDO - 致命错误:在非对象上调用成员函数 fetch()

PDO - Fatal error: Call to a member function fetch() on a non-object(PDO - 致命错误:在非对象上调用成员函数 fetch())
本文介绍了PDO - 致命错误:在非对象上调用成员函数 fetch()的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!


如果我尝试运行以下 PHP 代码,我会得到一个

if I try to run the following PHP code, I get a

在非对象上调用成员函数 fetch().

Call to a member function fetch() on a non-object.


Do you know why? I use the same code on another site, where it works just fine.

$username = ($_GET ['user']);
try {
    $dbh = new PDO("mysql:host=localhost;dbname=***", '***', '***');    
} catch (PDOException $e) {
    echo $e->getMessage();
$sth = $dbh->query( "SELECT user, captcha 
    FROM xf_captcha WHERE user='$username'" );


$sth = $dbh->query( "SELECT username, user_state, last_activity, alerts_unread, conversations_unread, message_count 
    FROM xf_user WHERE username='$user'" );
$row = $sth->fetch();



Does this look safe, should I do more ?

$username = ($_GET ['user']);
try {
    $dbh = new PDO("mysql:host=localhost;dbname=***", '***', '***');
} catch (PDOException $e) {
    echo $e->getMessage();
$sth = $dbh->prepare("SELECT username, captcha, timestamp 
    FROM xf_captcha 
    WHERE username = :username", array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY));
$sth->execute(array(':username' => $username));


你的代码在问题的顶部有变量 $username,但是你有 $user在底部.

Your code has the variable $username in the top part of your question, but you then have $user in the bottom section.


Are you perhaps meaning to use the same variable?

$username = ($_GET ['user']);
$sth = $dbh->query( "SELECT username, user_state, last_activity, alerts_unread, conversations_unread, message_count 
  FROM xf_user WHERE username='$user'" );
  //                           ^^ Should this ALSO be $username ?   
$row = $sth->fetch();

好的,现在你的 PDO::ATTR_EMULATE_PREPARES 很可爱.观察这一点:

Okay, now you are just being cute with your PDO::ATTR_EMULATE_PREPARES. Observe this:


Database changed
mysql> show tables
    -> ;
| Tables_in_prep |
| users          |
1 row in set (0.00 sec)

mysql> select * from users;
| id | userid  | pass   |
|  1 | Fluffeh | mypass |
1 row in set (0.00 sec)

还有一些从你的复制而来的 PHP 代码,添加了 PDO 属性:

And some PHP code that is copied from yours, with the added PDO attribute:

    //$username = ($_GET ['user']);

    $dbh = new PDO('mysql:host=localhost;dbname=prep', 'prepared', 'example');

    $sth = $dbh->query( "SELECT userid, pass FROM users WHERE userid='$username'" );
    echo "Trying to use $username.
    echo "----------------------------------------


    //$username = ($_GET ['user']);

    $dbh = new PDO('mysql:host=localhost;dbname=prep', 'prepared', 'example');

    $sth = $dbh->query( "SELECT userid, pass FROM users WHERE userid='$username'" );
    echo "Trying to use $username.
    echo "----------------------------------------


    //$username = ($_GET ['user']);
    $username="Oh my' or 1=1 or 'm=m";

    $dbh = new PDO('mysql:host=localhost;dbname=prep', 'prepared', 'example');

    $sth = $dbh->query( "SELECT userid, pass FROM users WHERE userid='$username'" );
    echo "Trying to use $username.
    echo "----------------------------------------


    //$username = ($_GET ['user']);
    $username="(select id from users limit 1)";

    $dbh = new PDO('mysql:host=localhost;dbname=prep', 'prepared', 'example');

    $sth = $dbh->query( "SELECT userid, pass FROM users WHERE id='$username'" );
    echo "Trying to use $username.
    echo "----------------------------------------


    //$username = ($_GET ['user']);
    // Changed this one to be a non-string, you might be checking an ID instead.
    $username="(select id from users limit 1)";

    $dbh = new PDO('mysql:host=localhost;dbname=prep', 'prepared', 'example');

    $sth = $dbh->query( "SELECT userid, pass FROM users WHERE id=$username" );
    echo "Trying to use $username.
    echo "----------------------------------------


    //$username = ($_GET ['user']);
    $username="bob'; drop table users;   
    // This one is tricker to do in PHP code. I could easily enter this into a text field however.

    $dbh = new PDO('mysql:host=localhost;dbname=prep', 'prepared', 'example');

    //$sth = $dbh->query( "SELECT userid, pass FROM users WHERE id='$username'" );
    echo "Trying to use $username.
    echo "----------------------------------------



    Trying to use Fluffeh.
stdClass Object
    [userid] => Fluffeh
    [pass] => mypass

    Trying to use user2693017.

    Trying to use Oh my' or 1=1 or 'm=m.
stdClass Object
    [userid] => Fluffeh
    [pass] => mypass

    Trying to use (select id from users limit 1).

    Trying to use (select id from users limit 1).
stdClass Object
    [userid] => Fluffeh
    [pass] => mypass

    Trying to use bob'; drop table users;   


Oh, the reason I left the last one till LAST is this output now in my database:

mysql> show tables;
Empty set (0.00 sec)

是的,没错,我刚刚丢了一张桌子.让我再说一遍,我有一个 select 语句,我用一个小技巧输入了一个值,任何有半脑和一些恶意意图的人都可以在文本字段中执行,然后删除你的表.

Yes, that's right, I just dropped a table. Let me say that again, I had a select statement, and with a little trickery I entered in a value that ANYONE with half a brain and some malicious intent could do into a text field, and DROPPED YOUR TABLE.

现在,当然,如果您设置正确,您可能会为 select 语句设置一个不同的用户,并且只授予他们数据库中的 select 权限,以停止这种事情正在发生 - 但老实说......你不是吗?

Now, granted, if you are setting things up properly, you might well set up a different user for the select statements, and only grant them select rights from your database, to stop this sort of thing happening - but lets be honest... you aren't are you?


Clearly setting that emulation is not enough. Seriously, now PLEASE do go read that answer, use prepared statements and use params if you want to be secure in your code.

这篇关于PDO - 致命错误:在非对象上调用成员函数 fetch()的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!



Convert JSON integers and floats to strings(将JSON整数和浮点数转换为字符串)
in php how do I use preg replace to turn a url into a tinyurl(在php中,如何使用preg替换将URL转换为TinyURL)
all day appointment for ics calendar file wont work(ICS日历文件的全天约会不起作用)
trim function is giving unexpected values php(Trim函数提供了意外的值php)
Basic PDO connection to MySQL(到MySQL的基本PDO连接)
PHP number_format returns 1.00(Php number_Format返回1.00)