PHP数据库登录脚本问题
我的未来用户登录页面允许任何用户名和密码访问。这段代码位于一个名为Login.php的文件中,应该将您指向Account.php,但无论您在表单中键入什么,它都会将您带到那里PHP数据库登录脚本问题,php,html,login,Php,Html,Login,我的未来用户登录页面允许任何用户名和密码访问。这段代码位于一个名为Login.php的文件中,应该将您指向Account.php,但无论您在表单中键入什么,它都会将您带到那里 <?php require 'Connections/Connections.php'; include('header.php'); ?> <?php if(isset($_POST['Login'])){ $UN= $_POST['Username']; $PW = $_POST
<?php
require 'Connections/Connections.php';
include('header.php');
?>
<?php
if(isset($_POST['Login'])){
$UN= $_POST['Username'];
$PW = $_POST['Password'];
$result = $con->query("Select * from users where Username='$UN' AND Password='$PW'");
$row = $result->fetch_array(MYSQLI_BOTH);
$_SESSION["UserID"] = $row['UserID'];
header('Location: Account.php');
}
?>
<!doctype html>
<html>
<head>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8'/>
<link href="style/UserStyle.css" rel="stylesheet" type="text/css" />
<title>Register</title>
</head>
<body>
<form action="" method="post" name="LoginForm" id="LoginForm">
<div class="FormElement">
<input name="Username" type="text" required="required" class="TField" id="Username" placeholder="Username">
</div>
<div class="FormElement">
<input name="Password" type="Password" required="required" class="TField" id="Password" placeholder="Password">
</div>
<div class="FormElement">
<input name="Login" type="submit" class="button" id="Login" placeholder="Login">
</div>
</body>
<?php
mysql_connect("localhost", "MyRealUsername", "MyRealPassword");
mysql_select_db("Registration");
$con = mysqli_connect("localhost", "MyRealUsername", "MyRealPassword", "Registration");
?>
非常感谢您的帮助 请在php代码中进行以下更改。您当前仅检查post变量并验证用户。从数据库获取值后,请检查结果数组,然后重定向到Account.php(如果数据库中存在用户),否则重定向到Login.php
<?php
if(isset($_POST['Login'])){
$UN= $_POST['Username'];
$PW = $_POST['Password'];
$result = $con->query("Select * from users where Username='$UN' AND Password='$PW'");
$row = $result->fetch_array(MYSQLI_BOTH);
if( isset($row) && $row['UserID'] != "" ){ // authenticated user, redirect to account page
$_SESSION["UserID"] = $row['UserID'];
header('Location: Account.php');
}else{ // redirect to login page
header('Location: Login.php');
}
}
?>
您的问题是没有验证用户/密码组合 您可以从数据库中获取用户记录:
$UN= $_POST['Username'];
$PW = $_POST['Password'];
$result = $con->query("Select * from users where Username='$UN' AND Password='$PW'");
$row = $result->fetch_array(MYSQLI_BOTH);
if ($row) {
$_SESSION["UserID"] = $row['UserID'];
header('Location: Account.php');
}
mysql_connect("localhost", "MyRealUsername", "MyRealPassword");
mysql_select_db("Registration");
还有一件更重要的事,在将用户输入传递到SQL查询之前,请始终对其进行筛选,因为不进行筛选会将您的应用程序打开到SQL注入。添加检查-如果这样的用户找到。效果很好,非常感谢!
<?php
/* Only execute code if it is a post request */
if( $_SERVER['REQUEST_METHOD']=='POST' ){
/* Make sure all variables are at least set */
if( isset( $_POST['Login'], $_POST['Username'], $_POST['Password'] ) ){
/* basic filtering of posted data */
$username=mysqli_real_escape_string( $con, filter_input( FILTER_POST, 'Username', FILTER_SANITIZE_STRING ) );
$password=mysqli_real_escape_string( $con, filter_input( FILTER_POST, 'Password', FILTER_SANITIZE_STRING ) );
/* Only proceed if there are non empty values after filtering */
if( !empty( $username ) && !empty( $password ) ){
$sql="select * from `users` where `Username`='".$username."' and `password`='".$password."';";
$result=$con->query( $sql );
$uid=false;
/* Check you have a result */
if( $result && $result->num_rows() > 0 ){
while( $rs=$result->fetch_object() ){
$uid=$rs->UserID;
}
}
if( $uid ) {
$_SESSION["UserID"]=$uid;
header( 'location: account.php' );
}
}
/*
------------------------------------------------
Alternative method, using a "prepared statement"
------------------------------------------------
You do not need to be so particular filtering data
that is used in the sql query...
*/
$sql_prepared='select `UserID` from `users` where `Username`=? and `Password`=?';
$stmt=$con->prepare( $sql_prepared );
$stmt->bind_param( 'ss', $username, $password );
$username=$_POST['Username'];
$password=$_POST['Password'];
/* Only process if we have non-empty values */
if( !empty( $username ) && !empty( $password ) ){
$result=$stmt->execute();
$stmt->bind_result( $uid );
if( $result ){
$stmt->fetch();
$stmt->close();
$_SESSION["UserID"]=$uid;
header( 'location: account.php' );
}
}
}
}
?>
<?php
/* Only execute code if it is a post request */
if( $_SERVER['REQUEST_METHOD']=='POST' ){
/* Make sure all variables are at least set */
if( isset( $_POST['Login'], $_POST['Username'], $_POST['Password'] ) ){
/* basic filtering of posted data */
$username=mysqli_real_escape_string( $con, filter_input( FILTER_POST, 'Username', FILTER_SANITIZE_STRING ) );
$password=mysqli_real_escape_string( $con, filter_input( FILTER_POST, 'Password', FILTER_SANITIZE_STRING ) );
/* Only proceed if there are non empty values after filtering */
if( !empty( $username ) && !empty( $password ) ){
$sql="select * from `users` where `Username`='".$username."' and `password`='".$password."';";
$result=$con->query( $sql );
$uid=false;
/* Check you have a result */
if( $result && $result->num_rows() > 0 ){
while( $rs=$result->fetch_object() ){
$uid=$rs->UserID;
}
}
if( $uid ) {
$_SESSION["UserID"]=$uid;
header( 'location: account.php' );
}
}
/*
------------------------------------------------
Alternative method, using a "prepared statement"
------------------------------------------------
You do not need to be so particular filtering data
that is used in the sql query...
*/
$sql_prepared='select `UserID` from `users` where `Username`=? and `Password`=?';
$stmt=$con->prepare( $sql_prepared );
$stmt->bind_param( 'ss', $username, $password );
$username=$_POST['Username'];
$password=$_POST['Password'];
/* Only process if we have non-empty values */
if( !empty( $username ) && !empty( $password ) ){
$result=$stmt->execute();
$stmt->bind_result( $uid );
if( $result ){
$stmt->fetch();
$stmt->close();
$_SESSION["UserID"]=$uid;
header( 'location: account.php' );
}
}
}
}
?>