每个输入的用户名和密码都在PHP登录中工作
我的php代码中有一个问题。我想做一个登录系统,从数据库中获取用户名和密码。我几乎把一切都搞定了。但是有一个问题。。当你输入姓名和密码/不管是什么,甚至随机/它会让我登录并重定向到我想要的地方。如何修复这个问题,并使其只使用数据库中正确的用户名和密码?我将在这里导入我的登录代码文件。提前谢谢,对不起我的英语每个输入的用户名和密码都在PHP登录中工作,php,login,Php,Login,我的php代码中有一个问题。我想做一个登录系统,从数据库中获取用户名和密码。我几乎把一切都搞定了。但是有一个问题。。当你输入姓名和密码/不管是什么,甚至随机/它会让我登录并重定向到我想要的地方。如何修复这个问题,并使其只使用数据库中正确的用户名和密码?我将在这里导入我的登录代码文件。提前谢谢,对不起我的英语 <?php include 'dbh.php'; $uid = $_POST['uid']; $pwd = $_POST['uid']; $query = "SELECT
<?php
include 'dbh.php';
$uid = $_POST['uid'];
$pwd = $_POST['uid'];
$query = "SELECT * FROM user WHERE uid='$uid' AND pwd='$pwd'";
$result = mysqli_query($conn, $query);
if ($result = mysqli_query($conn, $query))
{
while ($row = mysqli_fetch_assoc($result))
{
printf("Login success\n");
}
// If the while loop fails, password/username combo was incorrect
printf("Login failed - Invalid username or password.");
} else {
printf("Login failed, could not query the database.\n");
}
header("Location: panel.php");
?>
使用
首先,您对SQL注入非常开放,您需要更新它。它覆盖了很多其他的地方,去看看吧
但为了解决问题,您正在重定向,而不考虑您的支票。将此移动到while循环:
while ($row = mysqli_fetch_assoc($result))
{
printf("Login success\n");
header("Location: panel.php");
}
将其置于底部意味着无论发生什么情况,它都会被解雇。试试这个
<?php
function Db(){
$host = "localhost"; // your db settings
$username = "yourusername";
$password = "yourpass";
$db = "users";
$conn = new mysqli($host, $username, $password, $db);
// use mysqli instead mysql_connect, it is outdated I guess
if(!$conn){
die("Could not connect");
}
}
if(isset($_POST['login'])){
$uid = trim($_POST['username']);
$pwd = trim($_POST['password']);
if($uid == ""){
$err[] = "Username is missing.";
}elseif($pwd == ""){
$err[] = "Password is missing.";
}else{ // When validation succeed then make query.
$db = Db();
$uid = $db->real_escape_string($uid); // escape strings from mysql injection
$pwd = $db->real_escape_string($pwd);
$sql = "SELECT * FROM users
WHERE username = '$uid'
AND password = '$pwd'";
$result = $db->query($sql);
if($result->num_rows == 1){
header("location:panel.php"); // login succeed
}else{
$err[] = "Username or password are incorrect";
header("location:login.php"); // login failed
}
}
}
?>
<?php
if(isset($err)):
foreach($err as $loginErr):
echo $loginErr; // Print login errors.
endforeach;
endif;
?>
<!-- HTML login form goes here -->
在旁注中,$uid
和$pwd
是相同的,这可能是不需要的。此外,查询会执行两次。我建议,不要查询用户并传递同一个查询,因为您很脆弱,需要研究SQL注入和清理用户输入。请使用参数化查询。散列您的用户密码。请不要再使用mysql.*
方法。它们在当前版本的PHP中被弃用并删除。改为使用mysqli\uquot*
或PDO和prepared语句。它执行相同的操作。MYDOMAIN页面不工作。MYDOMAIN当前无法处理此请求。HTTP错误500当我键入名称和密码时,它会将我发送到空白的login.php页面
<?php
function Db(){
$host = "localhost"; // your db settings
$username = "yourusername";
$password = "yourpass";
$db = "users";
$conn = new mysqli($host, $username, $password, $db);
// use mysqli instead mysql_connect, it is outdated I guess
if(!$conn){
die("Could not connect");
}
}
if(isset($_POST['login'])){
$uid = trim($_POST['username']);
$pwd = trim($_POST['password']);
if($uid == ""){
$err[] = "Username is missing.";
}elseif($pwd == ""){
$err[] = "Password is missing.";
}else{ // When validation succeed then make query.
$db = Db();
$uid = $db->real_escape_string($uid); // escape strings from mysql injection
$pwd = $db->real_escape_string($pwd);
$sql = "SELECT * FROM users
WHERE username = '$uid'
AND password = '$pwd'";
$result = $db->query($sql);
if($result->num_rows == 1){
header("location:panel.php"); // login succeed
}else{
$err[] = "Username or password are incorrect";
header("location:login.php"); // login failed
}
}
}
?>
<?php
if(isset($err)):
foreach($err as $loginErr):
echo $loginErr; // Print login errors.
endforeach;
endif;
?>
<!-- HTML login form goes here -->