当用户点击登录时,我有一个登录表单checklogin.php被调用,它应检查用户名和密码是否与数据库中的任何记录匹配,如果为true,则执行其他操作,打印错误的密码或用户名
到目前为止,我的密码用户名错误,即使它是正确的用户名&&密码。我做了一些改变,但现在没有echo,printf或错误
我该如何解决这个问题?
形式
<table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<form name="form1" method="post" action="checklogin.php">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<td colspan="3"><strong>Member Login </strong></td>
</tr>
<tr>
<td width="78">Username</td>
<td width="6">:</td>
<td width="294"><input name="myusername" type="text" id="myusername"></td>
</tr>
<tr>
<td>Password</td>
<td>:</td>
<td><input name="mypassword" type="text" id="mypassword"></td>
</tr>
<tr>
<td> </td>
<td> </td>
<td><input type="submit" name="Submit" value="Login"></td>
</tr>
</table>
</td>
</form>
</tr>
</table>
checklogin.php
<?php
$mysqli = new mysqli('localhost', 'root', 'password', 'aiesec');
/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysqli_real_escape_string($myusername);
$mypassword = mysqli_real_escape_string($mypassword);
// If result matched $myusername and $mypassword, table row must be 1 row
$sql = "SELECT * FROM members WHERE username='$myusername' and password='$mypassword";
if($result = mysqli->query($sql, MYSQLI_USE_RESULT))
{
printf("Errormessage: %s\n", $mysqli->error);
echo $result->num_rows; //zero
while($row = $result->fetch_row())
{
printf("Errormessage: %s\n", $mysqli->error);
echo $result->num_rows; //incrementing by one each time
}
echo $result->num_rows; // Finally the total count
}
if($row==1){
echo "correct username and pass";
// Register $myusername, $mypassword and redirect to file "login_success.php"
// session_register("myusername");
//session_register("mypassword");
//header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
mysqli_close();
?>
我也试过
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysqli_query($sql);
// Mysql_num_row is counting table row
$count=mysqli_num_rows($result);
答案 0 :(得分:3)
为了确保您看到所有PHP错误,请在脚本之上添加此代码:
error_reporting(E_ALL);
ini_set('display_errors', 1);
您必须更正对mysqli_real_escape_string的来电。根据{{3}},必须有两个参数,第一个参数必须是MySQL链接。在你的情况下,链接将是$ mysqli。
另外,替换:
if($row==1){
with:
if($result->num_row==1){
您误解了$ result-&gt; num_rows是什么:它包含查询返回的TOTAL行数,其结果存储在$ result中。因此,在检索查询返回的所有记录的循环中检查$ result-&gt; num_rows的值是没用的。
我从MYSQLI_USE_RESULT移除了常量query(),因为documentation说:
如果您使用MYSQLI_USE_RESULT,除非您调用mysqli_free_result(),否则所有后续调用都将返回错误命令不同步。
新代码:
<?php
$mysqli = new mysqli('localhost', 'root', 'password', 'aiesec');
/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
// cleanup POST variables
$myusername = mysqli_real_escape_string($mysqli, stripslashes(trim($_POST['myusername'])));
$mypassword = mysqli_real_escape_string($mysqli, stripslashes(trim($_POST['mypassword'])));
// If result matched $myusername and $mypassword, table row must be 1 row
$sql = "SELECT * FROM members WHERE username='$myusername' and password='$mypassword'";
$result = mysqli->query($sql);
if($mysqli->errno<>0)
die("Errormessage: %s\n", $mysqli->error);
echo $result->num_rows;
if($result->num_rows==1){
echo "correct username and pass";
// Register $myusername, $mypassword and redirect to file "login_success.php"
// session_register("myusername");
//session_register("mypassword");
//header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
mysqli_close();
?>
答案 1 :(得分:0)
$mypassword变量$sql后,您遗漏了单引号。
这一行:
$sql = "SELECT * FROM members WHERE username='$myusername' and password='$mypassword";
将其更新为:
$sql = "SELECT * FROM members WHERE username='$myusername' and password='$mypassword'";
答案 2 :(得分:0)
第一个错误,您没有在$ mypassword:
之后关闭引用$sql = "SELECT * FROM members WHERE username='$myusername' and password='$mypassword";
然后,如果没有输入这个if,则不会定义$ row,以后会引起麻烦:你应该至少添加“$ row = 0”
$row = 0;
if($result = mysqli->query($sql, MYSQLI_USE_RESULT))
{
printf("Errormessage: %s\n", $mysqli->error);
echo $result->num_rows; //zero
while($row = $result->fetch_row())
{
printf("Errormessage: %s\n", $mysqli->error);
echo $result->num_rows; //incrementing by one each time
}
echo $result->num_rows; // Finally the total count
}
最后,你确定$ row是1吗?你试过吗
echo "Row is: ";
var_dump($row);
if($row==1){
编辑:$ row似乎实际上是最后一行;你会想要$ result-&gt; num_rows。
从架构的角度来看,将密码存储在DB中并不是一个好主意,最好(至少)存储“盐渍哈希”或使用更好的算法,请参阅:< / p>