我查看http://www.phpportalen.net/wiki/index.php?page=Enkel+inloggning+med+MySql+och+sessioner如何进行简单登录。
但是当我尝试登录时,它说用户名或密码错误。所以我猜我的控制文件中的东西是不对的,我在那里检查用户数据和密码到数据库。
在我看过的例子中,他们在同一页面上都有,所以我猜我需要改变比我更多。
这是loginside中的代码:
<?php
session_start();
?>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<title></title>
<link href="stylesheet.css" media="screen" rel="stylesheet" type="text/css" />
</head>
<body>
<?php
if(!isset($_SESSION["sess_user"])){
if(isset($_GET['badlogin'])){
echo "Fel användarnamn eller lösenord, försök igen!";
}
?>
<form method="post" action="check.php">
<p>User</p>
<input name="user" type="text" />
<p>Password</p>
<input name="password" type="text" />
<input name="logIn" type="submit" value="Log in" />
</form>
<?php
}
else{
header("Location: admin.php");
}
?>
</body>
</html>
这是我控制端的代码:
<?php
session_start();
?>
<?php
function db_escape($post){
if(is_string($post)){
if(get_magic_quotes_gpc()){
$post = stripslashes($post);
}
return mysqli_real_escape_string($post);
}
foreach($post as $key => $val){
$post[$key] = db_escape($val);
}
return $post;
}
if(isset($_POST["logIn"])){
// Connect to db
$dbConn = mysqli_connect("localhost","sabe0011","lösen","sabe0011");
$dbConn->set_charset("utf8");
// Check connection
if(mysqli_connect_errno($dbConn)){
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$_POST = db_escape($_POST);
$checkUserSQL = mysqli_query($dbConn, "SELECT * FROM Users WHERE User ='{$_POST['user']}' AND Password ='{$_POST['password']}'");
if(mysqli_num_rows($checkUserSQL) == 0){
header("Location: login.php?badlogin=");
exit;
}
$_SESSION['sess_id'] = mysqli_store_result($checkUsersSQL, 0);
$_SESSION['sess_user'] = $_POST['user'];
header("Location: admin.php");
exit;
}
?>
答案 0 :(得分:1)
您的查询中的参数应该转义为:
$checkUserSQL = mysqli_query($dbConn, "SELECT * FROM Users WHERE User =" . $_POST['user'] . " AND Password = " . $_POST['password']);
但就安全性而言,你必须看到the prepared query here。