当我填写某些内容时,我的后端登录屏幕会登录,字面意思是某些内容。这没有意义,我连接到我的数据库,我检查表单是否已提交,然后我执行我的查询,我什至有一个会话来检查我是否登录。也许是我使用的是 POST 而不是 GET?老实说,我不知道。我做错了什么?
<?php
if( !isset( $_SESSION ) ) session_start();
$msg='';
*db information*
$conn = new mysqli( $dbhost, $dbuser, $dbpass, $dbname );
if ( $conn->connect_error ) die("Connection failed");
if( isset( $_POST['submit'] ) ) {
$uname = $_POST['username'];
$wwoord = $_POST['wachtwoord'];
$query = "SELECT * FROM Medewerkers WHERE medewerker_username='$uname' && medewerker_password='$wwoord'";
$result = $conn->query( $query );
if( $result ) {
$_SESSION['ingelogd'] = true;
header("location: adminpanel.php");
} else {
$msg="Inloggegevens incorrect.";
}
$conn->close();
}
?>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Admin login</title>
<link rel="stylesheet" type="text/css" href="tables.css">
</head>
<body>
<div id="content">
<ul>
<li><a href="index.php">Admin panel</a></li>
</ul>
<h1>Admin login</h1>
<?php
echo $msg;
?>
<form role="form" method="post" action="index.php" class="contactForm">
<table>
<tr>
<td><label for="username">Username</label></td>
<td><input type="text" name="username" class="" id="username"> <br><br></td>
</tr>
<tr>
<td><label for="wachtwoord">Wachtwoord</label></td>
<td><input type="password" name="wachtwoord" class="" id="wachtwoord"><br><br></td>
</tr>
<tr>
<td><button type="submit" name="submit" class="button">Inloggen</button><br></td>
</tr>
</table>
</form>
</div>
</body>
</html>
我认为您需要在执行 sql 后在 php 中进行检查,以确保您返回了有效的记录集而不是布尔$result。
<?php
if( !isset( $_SESSION ) ) session_start();
if( isset( $_SESSION['ingelogd'] ) ) header("location: adminpanel.php");
$msg='';
$conn = new mysqli( $dbhost, $dbuser, $dbpass, $dbname );
if ( $conn->connect_error ) die("Connection failed");
if( isset( $_POST['submit'] ) ) {
$uname = $_POST['username'];
$wwoord = $_POST['wachtwoord'];
$query = "SELECT * FROM `Medewerkers` WHERE `medewerker_username`='$uname' and `medewerker_password`='$wwoord' limit 1";
$result = $conn->query( $query );
if( $result ) {
/* check that there is a valid recordset with exactly 1 record */
if( $result->num_rows==1 ) {
$_SESSION['ingelogd'] = true;
header("location: adminpanel.php");
}
$msg='login failed';
} else {
$msg="Inloggegevens incorrect.";
}
$conn->close();
}
?>
<?php
/*
if sql injection is a concern ( which it is ) then rather than embedding
variables directly within the sql it is better to utilise prepared statements.
*/
session_start();
if( isset( $_SESSION['ingelogd'] ) ) header("location: adminpanel.php");
$msg='';
$conn = new mysqli( $dbhost, $dbuser, $dbpass, $dbname );
if ( $conn->connect_error ) die("Connection failed");
if( isset( $_POST['submit'] ) ) {
$uname = $_POST['username'];
$wwoord = $_POST['wachtwoord'];
/* to avoid sql injection use prepared statements - add ? as placeholders for variables */
$sql='select * from `medewerkers` where `medewerker_username`=? and `medewerker_password`=? limit 1';
/* prepare the sql statement for execution */
$stmt=$conn->prepare( $sql );
/* If there is a problem preparing the statement it will return false */
if( $stmt ) {
/* assign variables to the placeholders */
$stmt->bind_param( 'ss', $uname, $wwoord );
/* execute the query */
$result=$stmt->execute();
/* The statement must have executed successfully, test recordset next */
if( $result ) {
/* store recordset so we can use access other functions / properties */
$stmt->store_result();
/* check that there is a valid recordset with exactly 1 record */
if( $stmt->num_rows==1 ) {
/* we have a valid logon - one record retrieved */
$conn->close();
$_SESSION['ingelogd'] = true;
header("location: adminpanel.php");
}
$msg='login failed';
} else {
$msg="Inloggegevens incorrect.";
}
$conn->close();
}
}
?>
您只检查查询是否正常工作,而不检查它是否返回行。
而不是:
//...
$result = $conn->query( $query );
if( $result ) {
$_SESSION['ingelogd'] = true;
//...
这样做:
//...
$result = $conn->query( $query );
if($result->num_rows == 1) {
$_SESSION['ingelogd'] = true;
//...
当然,您的代码中还有其他需要改进的地方,例如 SQL 注入部分,您可以在其中获取 POST 数据而无需转义它,但我专注于您的确切问题。