这让我抓狂!如果用户名是正确的,那么它比较密码完全没问题,但如果用户名是错误的比较不发生,这个错误是扔给我。我想将数据库值与用户输入的值进行比较。
<?php
$nm = $_POST['nm'];
$pw = $_POST['pw'];
try{
$pdo = new PDO('mysql:host=localhost;dbname=gold-market_main', 'root', '');
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}catch(PDOException $e) {
echo "Connection failed: ".$e->getMessage();
die();
}
if($nm == null){
die("Feld darf nicht leer sein!");
} elseif(ctype_alpha($nm[0]) or ctype_digit($nm[0])){
$sql = "SELECT k_nutzername, k_passwort FROM kunden WHERE k_nutzername IN('$nm');";
$result = $pdo->query($sql);
$row = $result->fetch(PDO::FETCH_ASSOC);
if("{$row['k_nutzername']}" != $nm) {
//header("Location: login_wrongUN.html");
print("nm wrong");
} elseif("{$row['k_passwort']}" != $pw) {
//header("Location: login_wrongPW.html");
print("pw wrong");
} else {
header("Location: konto.html");
}
}else{
die("Nutzername muss mit einem buchstaben oder einer Zahl beginnen!");
}
$pdo = null;
?>
您可以这样做。但是,它不能防止不安全的密码或定时攻击。
<?php
$nm = $_POST['nm'];
$pw = $_POST['pw'];
try{
$pdo = new PDO('mysql:host=localhost;dbname=gold-market_main', 'root', '');
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}catch(PDOException $e) {
echo "Connection failed: ".$e->getMessage();
die();
}
if($nm == null){
die("Feld darf nicht leer sein!")
} //ctype does not protect
$sql = $pdo->prepare("SELECT k_nutzername, k_passwort FROM kunden WHERE k_nutzername = ?;");
$sql->bindValue(1,$nm,PDO::PARAM_STR); //bind a value to a query, called parametrized queries, most secure way against SQL injection.
$sql->execute();
$row = $sql->fetch(PDO::FETCH_ASSOC);
if(!$row) { // if the username not exists
//header("Location: login_wrongUN.html");
print("nm wrong");
} elseif($row['k_passwort'] != $pw) {
//header("Location: login_wrongPW.html");
print("pw wrong");
} else {
header("Location: konto.html");
}
$pdo = null;
?>