PHP数据库搜索验证
我已经使用PHP和SQL数据库创建了一个登录页面,我正试图根据用户输入的内容输出不同的错误。例如,如果用户输入了正确的ID而不是正确的密码,则会告诉他们密码不正确,但如果用户没有输入正确的ID,则会告诉他们该ID/密码不存在。目前,我已经让他们两个工作,但我的问题是,当你第一次打开页面时,它显示的ID/密码错误的错误消息,我认为这与没有输入任何内容有关。当输入某些内容时,尽管它正确地显示了错误/更正消息 以下是进行验证的部分:PHP数据库搜索验证,php,mysql,Php,Mysql,我已经使用PHP和SQL数据库创建了一个登录页面,我正试图根据用户输入的内容输出不同的错误。例如,如果用户输入了正确的ID而不是正确的密码,则会告诉他们密码不正确,但如果用户没有输入正确的ID,则会告诉他们该ID/密码不存在。目前,我已经让他们两个工作,但我的问题是,当你第一次打开页面时,它显示的ID/密码错误的错误消息,我认为这与没有输入任何内容有关。当输入某些内容时,尽管它正确地显示了错误/更正消息 以下是进行验证的部分: $sql = "SELECT * FROM users WH
$sql = "SELECT * FROM users WHERE id = '".$login."'";
$results = pg_query($conn, $sql);
// A CORRECT ID WAS ENTERED
if(pg_num_rows($results)) {
echo("<h2 align=\"center\">Incorrect Password was Entered</h2>");
// A CORRECT ID WAS NOT ENTERED
} else {
echo("<h2 align=\"center\">Login/password not found in the database</h2>");
}
<?php
include "header.php";
?>
<?php
$id = "";
$pass = "";
$login = isset($_POST['id']) ? $_POST['id'] : '';
$login = !empty($_POST['id']) ? $_POST['id'] : '';
$password = isset($_POST['pass']) ? $_POST['pass'] : '';
$password = !empty($_POST['pass']) ? $_POST['pass'] : '';
$sql = "SELECT first_name, last_name, email_address, last_access
FROM users
WHERE id = '".$login."' AND password= '".$password."'";
$results = pg_query($conn, $sql);
if(pg_num_rows($results)) {
$sql = "UPDATE users SET last_access = '" .date("Y-m-d",time()). "' WHERE id = '" .$login. "'";
$first = pg_fetch_result($results, 0);
$last = pg_fetch_result($results, 1);
$email = pg_fetch_result($results, 2);
$last_access = pg_fetch_result($results, 3);
echo("<h2 align=\"center\">Welcome back $first $last</h2>");
echo("<h2 align=\"center\">Our records show that your</h2>");
echo("<h2 align=\"center\">email address is $email</h2>");
echo("<h2 align=\"center\">and you last accessed our system: $last_access</h2>");
echo("<br/>");
} else {
// WHERE THE VALIDATION HAPPENS
$sql = "SELECT * FROM users WHERE id = '".$login."'";
$results = pg_query($conn, $sql);
// A CORRECT ID WAS ENTERED
if(pg_num_rows($results)) {
echo("<h2 align=\"center\">Incorrect Password was Entered</h2>");
// A CORRECT ID WAS NOT ENTERED
} else {
echo("<h2 align=\"center\">Login/password not found in the database</h2>");
}
}
?>
<h2 align="center">Please log in</h2>
<p align="center" style="margin-top:-3px">Enter your login ID and password to connect to this system</p>
<form style="margin-top:-8px" name="Input" method="post" action="<?php $_SERVER['PHP_SELF']; ?>">
<table border="0" bgcolor="red" cellpadding="10" style="margin-left:auto; margin-right:auto;">
<tr>
<td style="border:hidden"><strong>Login ID</strong></td>
<td style="border:hidden"><input type="text" name="id" value="<?php if(pg_num_rows($results)) { echo $_POST['id'];} ?>" size="20"></td>
</tr>
<tr>
<td style="border:hidden"><strong>Password</strong></td>
<td style="border:hidden"><input type="password" name="pass" value="" size="20"></td>
</tr>
</table>
<br/>
<table border="0" cellspacing="15" style="margin-left:auto; margin-right:auto;">
<tr>
<td style="border:hidden"><input type="submit" value="Log In"></td>
<td style="border:hidden"><input type="reset" value="Reset"></td>
</tr>
</table>
</form>
<?php include "footer.php" ?>
当您第一次打开页面时,从安全角度来看,您的$\u POST是空的,通常最好不要根据字段输入不正确的情况更改错误消息-否则,您会给攻击者一种机制来枚举应用程序的有效登录id检查是否设置了$\u POST['id']和$\u POST['pass']。如果不是,则应跳过整个验证。