我更新了我的代码并且这次使用了mysqli我没有再收到任何错误但它现在不让我登录。
<?php
$host = 'my host';
$user = 'me';
$PW = 'my password';
$dB = 'login';
$table = 'members';
$field = 'username';
/* Create a new mysqli object with database connection parameters */
$mysqli = new mysqli($host, $user, $PW, $dB);
if(mysqli_connect_errno()) {
echo "Connection Failed: " . mysqli_connect_errno();
exit();
}
//Grab User submitted information
$name = $_POST['username']; //login name
$pass = $_POST['password']; //login password
/* Create a prepared statement */
if($stmt = $mysqli -> prepare("SELECT f_name FROM $table WHERE $field=?
AND password=?")) {
/* Bind parameters
s - string, b - blob, i - int, etc */
$stmt -> bind_param("ss", $name, $pass);
/* Execute it */
$stmt -> execute();
/* Bind results */
$stmt -> bind_result($result);
/* Fetch the value */
$stmt -> fetch();
if ($result == NULL) {
echo "That combo of username and password is wrong!";
}
else{
echo "Hello " . $result;
}
/* Close statement */
$stmt -> close();
}
/* Close connection */
$mysqli -> close();
?>
我认为它现在有效,但即使我输入了正确的ID&amp; PW它说我没有。我不知道为什么会这样做。
答案 0 :(得分:2)
您的SQL查询无效:
"SELECT * FROM members WHERE username = $name"
// will result in
"SELECT * FROM members WHERE username = "
// if name is empty or
"SELECT * FROM members WHERE username = SOMEVALUE"
// if name is "SOMEVALUE".
无论哪种方式,它都是无效的查询字符串,因为SOMEVALUE不会被解释为字符串。你可以试试这个:
$result = mysql_query('SELECT * FROM members WHERE username = "'.mysql_real_escape_string($name).'"');
mysql_real_escape_string()用于转义可能导致问题/不需要的行为的字符。 查询中的字符串应包含引号。
我建议您查看PDO(http://php.net/manual/en/book.pdo.php)并阅读有关mysql注入的内容。
答案 1 :(得分:1)
你的问题是
$_POST["usersname"]
未定义。
在查询中使用$name时,请使用此mysql_real_escape_string($name)。
如果这是你的代码,它是sql注入的灾难。你应该改成mysqli或PDO
答案 2 :(得分:1)
首先,你真的应该使用mysqli。标准mysql_函数现已弃用,原因非常可靠。如果使用mysqli:
<?php
//Connect to database
$con = new mysqli('host', 'user', 'PW', 'dB');
if( $con->connect_errno > 0 ) {
die( 'Unable to connect to dB!' );
}
//Grab User submitted information
$name = $_POST['username']; //login name
$pass = $_POST['password']; //login password
// Make sure you do some validation of the $_POST data here
//Fetch user record from members table where username = inputed name
$statement = $con->prepare("SELECT password FROM members WHERE username = ?");
// Binds $name as a string ('s') parameter to the first ? found in the statement
$statement->bind_param('s', $name);
$statement->execute();
//check to see if that username exists in DB & if not; stop, inform user & ask if he wants to register
if ( $statement->num_rows === 0 ) {
die('User does not exist. <a href="register.php">Click Here to Register</a>');
}
// Bind variables to the result; you need a variable for every column that is selected
$statement->bindResult($dbPassword);
$statement->fetch();
//check password, if pw entered != pw from pulled record then stop & inform user
if ($pass != $dbPassword) {
die('Incorrect password, please try again.');
}
$statement->close();
$con->close();
如果您不使用mysqli,请知道您编写的代码由于2个问题而无效:
$name = $_POST["usersname"];拼写为usersname而不是username $result = mysql_query("SELECT * FROM members WHERE username = $name");上你需要像这样转义字符串:username = " . mysql_real_escape_string( $name ) . "否则将不会添加引号并且字符串将被误解为令牌(同样,还有SQL注入问题)< / LI>
除了这些要点之外,将密码正确存储在数据库中也很重要。您不能以明文形式存储密码,因为这是一个巨大的安全风险。您需要将密码存储为哈希值,这些哈希值是单向函数,使得无法(或至少更难)获取密码。我建议你查看PHP中的Crypt function。与Blowfish算法和合适的盐一起使用,它可以提供出色的安全性,但是有关这方面的更多细节超出了本文的范围。您可以在该页面的评论中找到更多信息。
编辑:更新了代码,不使用get_result()