首先,我只想感谢你的帮助!我刚加入这个网站,你们很多人都非常乐于助人和耐心! (:
所以,我的问题在于登录表单。即使输入了错误的信息,它也允许我登录。我是pdo的新手,我刚刚将所有的Mysql函数转换为pdo,所以我很肯定我在某个地方出了问题。
这是我的登录脚本:
<?php
//Login script
if (isset ($_POST["user_login"]) && isset($_POST["password_login"])) {
$user_login = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["user_login"]); //filter everything but numbers and letters
$password_login = preg_replace('^A-Za-z0-9)#i','', $_POST["password_login"]); //filter everything but numbers and letters
$password_login=md5($password_login);
$db = new PDO('mysql:host=localhost;dbname=socialnetwork', 'root', 'password');
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "SELECT id FROM users WHERE username = '$user_login' AND password = '$password_login' LIMIT 1";
$db->prepare($sql);
if ($db->execute(array(
'$user_login' => $user_login,
'$password_login' => $password_login))); {
if ($sql->rowCount() > 1){
while($row = $sql->fetch($sql)){
$id = $row["id"];
}
$_SESSION["id"] = $id;
$_SESSION["user_login"] = $user_login;
$_SESSION["password_login"] = $password_login;
exit("<meta http-equiv=\"refresh\" content=\"0\">");
} else {
echo 'Either the password or username you have entered is incorrect. Please check them and try again!';
exit();
}
}
}
?>
以下是表格:
<form action="home.php" method="post">
<center><input type ="text" size="25" name="User_login" id="user_login" placeholder="username"/>
<input type ="password" size="25" name="user_password" id="user_password" placeholder="password"/><br />
<input type ="submit" name="button" id="button" value="login to your account!"/></center>
</form>
有关如何解决此问题的任何想法?
答案 0 :(得分:0)
if ($sql->rowCount() > 1){
该代码无效,因为$sql
是一个字符串。我认为你应该有$stmt = $db->prepare( ... );
声明,然后改为$stmt->rowCount
(但我不是100%肯定)。
答案 1 :(得分:-1)
PDO Prepared语句看起来像(例如):
<?php
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username AND password = :password");
$stmt->bindValue(":username", $_POST['username']);
$stmt->bindValue(":password", md5($_POST['password']));
$stmt->execute();
$result = $stmt->fetchAssoc();
var_dump($result);
?>
你所拥有的不是准备好的陈述。看看这有帮助......
<?php
//Login script
if (isset ($_POST["user_login"]) && isset($_POST["password_login"])) {
$user_login = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["user_login"]); //filter everything but numbers and letters
$password_login = preg_replace('^A-Za-z0-9)#i','', $_POST["password_login"]); //filter everything but numbers and letters
$password_login=md5($password_login);
$db = new PDO('mysql:host=localhost;dbname=socialnetwork', 'root', 'password');
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
try {
$user_id = false;
$stmt = $db->prepare("SELECT id FROM users WHERE username = :user_login AND password = :password_login LIMIT 1");
$stmt->bindValue(':user_login', $user_login);
$stmt->bindValue(':password_login', $password_login);
$stmt->bindColumn('id', $user_id);
$stmt->execute();
$row = $stmt->fetchAssoc();
if($user_id){
$_SESSION["id"] = $user_id;
$_SESSION["user_login"] = $user_login;
$_SESSION["password_login"] = $password_login;
echo '<meta http-equiv="refresh" content="0">'; // see below
// exit("<meta http-equiv=\"refresh\" content=\"0\">"); // this is WRONG!
} else {
echo 'Either the password or username you have entered is incorrect. Please check them and try again!';
exit();
}
} catch(PDOException $e) {
die("PDO Exception: {$e->getMessage()}");
} catch(Exception $e) {
die("Exception: {$e->getMessage()}");
}
?>
看到你准备好的声明和我的声明之间的区别?你的更多是一个编译的查询,而不是一个准备好的语句(即使你使用prepare
方法)。