Php 登录无法使用已转换的准备语句SQLi运行
正如建议的那样,我一直在尝试使用准备好的语句来保护我的数据库。我有下面的登录名,我正试图将其转换为prepared语句,它可以完美地工作Php 登录无法使用已转换的准备语句SQLi运行,php,mysqli,prepared-statement,Php,Mysqli,Prepared Statement,正如建议的那样,我一直在尝试使用准备好的语句来保护我的数据库。我有下面的登录名,我正试图将其转换为prepared语句,它可以完美地工作 if(isset($_POST["Submit"])) { $Username = mysqli_real_escape_string($con, $_POST["Username"]); $get_hash_db = mysqli_query($con, "SELECT password FROM admin_registration WHERE
if(isset($_POST["Submit"])) {
$Username = mysqli_real_escape_string($con, $_POST["Username"]);
$get_hash_db = mysqli_query($con, "SELECT password FROM admin_registration WHERE username='$Username'");
$hash_db_data = mysqli_fetch_array($get_hash_db);
$hash = $hash_db_data['password'];
echo $hash;
if(password_verify($_POST['Password'], $hash)){
$Password = $hash;
}else {
$_SESSION["ErrorMessage"] = "Username or Password was incorrect";
Redirect_to("admin_login.php");
}
else {
$Found_Account = Login_Attempt($Username, $Password);
$_SESSION["User_Id"] = $Found_Account["id"];
$_SESSION["Username"] = $Found_Account["username"];
if($Found_Account) {
$_SESSION["SuccessMessage"] = "Login Successful! Welcome {$_SESSION["Username"]}";
Redirect_to("blog_admin/dashboard.php");
}else {
$_SESSION["ErrorMessage"] = "Invalid Username / Password";
Redirect_to("admin_login.php");
}
}
}
下面是一个登录尝试()
函数,如下所示:
function Login_Attempt($Username, $Password) {
global $con;
$sql = "SELECT * FROM admin_registration WHERE username='$Username' AND password='$Password'";
$result = mysqli_query($con, $sql);
if($admin = mysqli_fetch_assoc($result)) {
return $admin;
}
else {
return null;
}
}
用我新准备的语句,我永远无法通过$\u会话[“ErrorMessage”]=“无效的用户名/密码”
告诉我至少满足了条件$Password=$hash代码>这是我所拥有的
if(isset($_POST["Submit"])) {
$Username = mysqli_real_escape_string($con, $_POST["Username"]);
$get_hash_db = mysqli_prepare($con, "SELECT password FROM admin_registration WHERE username = ? ");
mysqli_stmt_bind_param($get_hash_db, "s", $Username);
mysqli_stmt_execute($get_hash_db);
mysqli_stmt_bind_result($get_hash_db, $hash);
mysqli_stmt_fetch($get_hash_db);
echo $hash;
if(password_verify($_POST['Password'], $hash)){
$Password = $hash;
}else {
$_SESSION["ErrorMessage"] = "Username or Password was incorrect";
Redirect_to("admin_login.php");
}
一旦我通过了这个,我就要经历这个:
else {
$Found_Account = Login_Attempt($Username, $Password);
$_SESSION["User_Id"] = $Found_Account["id"];
$_SESSION["Username"] = $Found_Account["username"];
if($Found_Account) {
$_SESSION["SuccessMessage"] = "Login Successful! Welcome {$_SESSION["Username"]}";
Redirect_to("blog_admin/dashboard.php");
}else {
$_SESSION["ErrorMessage"] = "Invalid Username / Password";
Redirect_to("admin_login.php");
}
}
}
但它总是返回到$\u会话[“ErrorMessage”]=“无效用户名/密码”代码>我不确定我是否理解为什么?是因为我绑定了参数$Username
,所以函数登录尝试($Username,$Password)
无法正确处理吗?对不起,这是我第一次尝试准备好的陈述,所以我真的很难理解 ot:当你使用准备好的语句时,你不需要使用real\u escape\u字符串。我已经删除了real\u escape\u字符串,但它不会改变结果。我不明白代码的这些部分是如何连接的。看看这里-相当重写的代码-更干净,谢谢。因此,使用此方法,我根本不需要函数Login\u-trunt()
。我该如何解释字段是空的并且提交了…就像这样if(empty($Username)| | empty($Password)){$_SESSION[“ErrorMessage”]=“必须填写所有字段”;重定向到(“admin_login.php”)}
我会将它嵌套到另一个if中,首先是带有submited的if,如果已提交,然后是if notempty和其他验证