过去四天我一直在尝试让这个工作。它只是一个简单的登录页面,没有存储敏感信息,但我遇到了PHP问题。
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$uname = $_POST["login"];
$pword = $_POST["pass"];
$uname = htmlspecialchars($uname);
$pword = htmlspecialchars($pword);
$user_name = "bradf294_access";
$password = "********";
$database = "bradf294_clients";
$server = "localhost";
$db_handle = mysql_connect($server, $user_name, $password);
$db_found = mysql_select_db($database, $db_handle);
print(mysql_errno());
print($db_found);
if(isset($db_found)){
print($db_found."Success");
$SQL = "SELECT * FROM basicinfo WHERE ref = $uname AND pass = $pword";
$result = mysql_query($SQL);
print("Query made");
print(mysql_errno());
if ($result) {
print("result:".$result);
}
else {
print("Incorrect Login Details");
}
if ($result > 0) {
print("found user");
$errorMessage= "logged on ";
session_start();
$_SESSION['login'] = "1";
header ("Location: progressuser.php");
}
else {
print("Invalid Logon");
}
} else {
print("Database not found. The Webmaster has been notified. Please try again later");
$subject = "Automated login error" ;
$message = "An error occured whilst trying to connect to the MySQL database, to login to the progress checker" ;
mail("a-bradfield@bradfieldandbentley.co.uk", $subject, $message);
}
从我一直用来调试的页面上的输出,看起来似乎没有工作的行,这给出了1054错误 - '%'中的未知列'%s' s'的“
$SQL = "SELECT * FROM basicinfo WHERE ref = $uname AND pass = $pword";
$result = mysql_query($SQL)
即使我将$SQL
字符串复制并粘贴到phpMyAdmin中并且它工作得很好吗?
有什么明显我做错了吗?转到http://www.bradfieldandbentley.co.uk/test/progress.php并输入详细信息参考:TST001
并传递:dnatbtr121
以查看输出。
答案 0 :(得分:2)
您需要引用变量:
$SQL = "SELECT * FROM basicinfo WHERE ref = '$uname' AND pass = '$pword'";
<强>无论其强>
{@ 1}}函数已弃用 - 您应该转而转到mysql_*
或PDO
。这些都使您更容易编写安全代码,以及为您修复引用问题。
答案 1 :(得分:0)
WHERE条件中的值是否应该用引号括起来,就像在普通的MySQL语句中一样?是。此外,您将获得一些关于SQL注入的评论。