我用PHP和MySQL数据库创建了一个登录页面。一切正常,除非我使用正确的用户名和错误的密码登录,它仍然会将我发送到登录页面,并且不会让我登录页面。
<?php
$user = $_POST['user'];
$pass = stripslashes($_POST['pass']);
$pass = mysql_real_escape_string($pass);
$pass = md5($pass);
$connect = mysql_connect("$host", "$ad_user", "$ad_pass") or die("Unable to connect to MySQL");
$db = mysql_select_db("$db", $connect) or die("Could not select examples");
$query = "SELECT * FROM members WHERE username='$user'" or die("error query");
$result = mysql_query($query);
$count = mysql_num_rows($result);
$p = mysql_fetch_array($result);
If($count == 1){
If($p['password'] == $pass){
session_start();
$_SESSION['loggedin'] = 1;
$_SESSION['username'] = $user;
header('Location: //members.polydodo.com');
}else{
header('Location: ../login.php?error');
}
}else{
header('Location: ../login.php?error');
}
mysql_close($connect);
?>
我看不出任何错误,我已经仔细检查了密码加密等命令。使用错误的用户名重定向到错误页面并且不会登录,但无论密码如何,它都会使用正确的用户名登录。
P.S。我知道MySQLi和PDO,但没有时间研究,所以我坚持使用标准MySQL,直到我这样做。
答案 0 :(得分:4)
问题出在以下行
$query = "SELECT * FROM members WHERE username='$user'" or die("error query");
$result = mysql_query($query);
将其更改为
$query = "SELECT * FROM members WHERE username='$user' LIMIT 1";
$result = mysql_query($query) or die(mysql_error());
更新:
也可以直接在查询中使用密码进行身份验证,如
$query = "SELECT * FROM members WHERE username='$user' AND password='$pass' LIMIT 1";
$result = mysql_query($query) or die(mysql_error());
注意: mysql_*已被弃用[{1}}或mysqli_*
答案 1 :(得分:0)
也使用密码字段。
$query = "SELECT * FROM members WHERE username='$user' AND password='$pass'" or die("error query");
$result = mysql_query($query);
$count = mysql_num_rows($result);
//$p = mysql_fetch_array($result);
if($count == 1){
session_start();
$_SESSION['loggedin'] = 1;
$_SESSION['username'] = $user;
header('Location: //members.polydodo.com');
}else{
header('Location: ../login.php?error');
}
尝试传递查询中的两个值。
之后你不需要匹配它