我无法登录。当点击按钮登录时,显示错误的用户名或密码。数据库是id,用户名,密码和级别。选择id,username,password,level FROM login
<?php
ob_start();
$message = "";
if ( isset ($_POST['login']))
{
include 'admin/dbconnect.php';
$username = $_POST['username'];
$password = $_POST['password'];
if ($username != "" && $password != "")
{
$sql = "SELECT * FROM login WHERE username = '$username' and password = '$password' ";
$result = mysql_query($sql) ;
$row = mysql_fetch_array($result, MYSQL_ASSOC);
if (mysql_num_rows($result) ==1)
{
session_start();
$_SESSION['isLogged_in'] = true;
$_SESSION['username'] = $row['username'];
$_SESSION['level'] = $row['level'];
$message = 'Logged-in successfully';
}
else
{
$message = 'WRONG USERNAME OR PASSWORD';
}
}
else
{
$message = 'PLEASE RE-INPUT YOUR USERNAME AND PASSWORD';
}
}
?>
答案 0 :(得分:1)
使用mysql_escape_string来防止sql注入,如果你有php 5.5.0或更高版本,你应该使用类似mysqli的东西,因为所有的mysql_命令都已弃用。
$sql = sprintf("SELECT * FROM login WHERE username = '%s' and password = '%s'", mysql_real_escape_string($username), mysql_real_escape_string($password));
至于实际问题,可能正如其他人所说(数据库连接)而且只是为了安全而言:(对于多个条目,如果可能的话)
if (mysql_num_rows($result))
答案 1 :(得分:-2)
你可以尝试使用:
SELECT * FROM login WHERE username = '$username' and password = '$password' LIMIT 1
LIMIT 1最后。
也许您有多个行匹配相同的用户名和密码。