我有一个设置了电子邮件和密码的数据库,我正在尝试使用下面的代码检查用户名(电子邮件)和密码,以确保它们是正确的,如果他们将它们发送到/ cms,如果他们不匹配,弹出框出现。我只是弹出工作。你能看到导致这种问题的任何问题吗?
session_start();
require_once("../mydbpassword.php");
if($_POST['username']) {
$username = $_POST['username'];
$password = $_POST['password'];
$sql = "SELECT * FROM agents WHERE email = '$username' AND pword = '$password'";
$result = mysqli_query($mysqli,$sql);
$email = $row['email'];
$pword = $row['pword'];
if(($username != $email) || ($password != $pword)) {
echo'<script type="text/javascript">
window.alert("Your login information is wrong, try again!");
window.location="/cms/login"
</script>';
}
else {
$row = mysqli_fetch_assoc($result);
$_SESSION['admin'] = $row['$email'];
header("Location: /cmsS");
exit();
}
}
答案 0 :(得分:0)
切换
$result = mysqli_query($mysqli,$sql);
要
$result = mysqli_fetch_assoc(mysqli_query($mysqli,$sql));
此外,您还有许多事情需要修复。像散列密码,安全查询,更好的重定向/错误系统(js可以被删除或容易被黑客攻击/更改)。
答案 1 :(得分:0)
if($_POST['username'])
通过
if (!empty($_POST['username']))
$sql = "SELECT * FROM agents WHERE email = '$username' AND pword = '$password'";
通过
$sql = 'SELECT password FROM agents WHERE email = "'.mysql_real_escape_string($username).'"';
$result = mysqli_query($mysqli,$sql);
通过
$result = mysqli_fetch_assoc(mysqli_query($mysqli,$sql));
if ($password != $pword || empty($pword)) {
echo'<script type="text/javascript">
window.alert("Your login information is wrong, try again!");
window.location="/cms/login"
</script>';
}