作为我项目的一部分,我创建了一个登录程序。 我已经有一个创建帐户页面,数据将从该页面成功进入数据库表。但是我的登录程序不起作用。下面是我的代码。
<?php
$db = mysql_connect('localhost','root','','childrenparty');
if(!$db){die('could not connect:'.mysql_error());}
echo'connected successfully';
if (isset($_POST['loginbtn'])) {
$username = $_POST['txtusername'];
$password = $_POST['txtpassword'];
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$sql = "SELECT * FROM clientinfo WHERE Username ='".$username."'' AND
Password='".$password."' LIMIT 1";
$result = mysql_query($sql);
echo $sql;
if(mysql_num_rows($result) == 1)
{
echo "<script> alert('Successfully Logged In')</script>";
echo "<script> location.href = 'home.php' </script>";
exit();
}
else {
echo "<script> alert('Invalid Username and/or Password')</script>";
exit();
}
}
mysql_close($db);
?>
所以问题是当我尝试登录时,它总是显示无效的用户名和密码。 请帮助
sql 查询中出现错误,这是一个额外的'
:
$sql = "SELECT * FROM clientinfo WHERE Username ='" . $username . "' AND
Password='" . $password . "' LIMIT 1";
但是这段代码中还有更危险的问题:
mysql_* 在 PHP 5.5 中被弃用,在 PHP 7 中被删除,所以你最好使用 mysqli 或 PDO 函数和预准备语句。
密码未加密存储,这是一个巨大的漏洞
我将添加一个带有预准备语句的示例,以防止 SQL 注入:
<?php
$db = new mysqli('localhost', 'root', '', 'childrenparty');
if ($db->connect_errno) {
echo 'Failed to connect to MySQL: (' . $db->connect_errno . ') ' . $db->connect_error;
}else{
echo 'Connected successfully';
}
if (isset($_POST['loginbtn'])) {
$username = $_POST['txtusername'];
$password = $_POST['txtpassword'];
$username = $db->escape_string($username);
$password = $db->escape_string($password);
$query = $db->prepare('SELECT * FROM clientinfo WHERE Username=? AND Password=? LIMIT 1');
$query->bind_param('ss', $username, $password);
$query->execute();
$result = $query->get_result()->fetch_row();
if (null !== $result) {
echo "<script> alert('Successfully Logged In')</script>";
echo "<script> location.href = 'home.php' </script>";
exit();
}
echo "<script> alert('Invalid Username and/or Password')</script>";
exit();
}
$db->close();
我对你的代码进行了一些更改。这绝对应该有效。如果不是,则问题出在您设置的 $_POST 变量名称中。还要仔细检查 Sql 查询,以检查它们是否与数据库名称相同。我假设你只是在学习编码,所以它很好,但 mysql 现在已被弃用,所以尝试使用 mysqli 函数。
如需进一步参考,请查看 http://php.net/manual/en/book.mysqli.php
if (isset($_POST['loginbtn'])) {
$username = $_POST['txtusername'];
$password = $_POST['txtpassword'];
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$sql = "SELECT * FROM clientinfo WHERE Username = '$username' AND
Password = '$password' LIMIT 1";
$result = mysql_query($sql);
if(mysql_num_rows($result) == 1)
{
echo "<script> alert('Successfully Logged In')</script>";
echo "<script> location.href = 'home.php' </script>";
}
else {
echo "<script> alert('Invalid Username and/or Password')</script>";
}
}
<?php
$db = mysql_connect('localhost','root','','childrenparty');
if(!$db){die('could not connect:'.mysql_error());}
echo'connected successfully';
if (isset($_POST['loginbtn'])) {
$username = $_POST['txtusername'];
$password = $_POST['txtpassword'];
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$sql = "SELECT * FROM clientinfo WHERE Username ='$username' AND
Password='$password'";
mysql_select_db('childrenparty');
$result = mysql_query($sql);
$count = mysql_num_rows($result);
if($count == 1) {
echo "<script> alert('You Have Successfully Logged In')</script>";
echo "<script> location.href = 'home.php' </script>";
exit();
} else {
echo "<script> alert('Invalid Username and/or Password')</script>";
}
}
mysql_close($db);
?>
这个有效,谢谢大家的回复。