我是PHP和SQL的新手,但我正在尝试创建一个允许用户登录网站的简单PHP脚本。它由于某种原因不起作用,我不明白为什么。每次我尝试使用正确的用户名和&密码,我收到错误"错误的用户名或密码"。数据库名和表名是正确的。
connect.php:
<?php
$db_host = 'localhost';
$db_name = 'app';
$db_user = 'root';
$db_pass = '';
$tbl_name = 'users';
// Connect to server and database
mysql_connect("$db_host", "$db_user", "$db_pass") or die("Unable to connect to MySQL.");
mysql_select_db($db_name)or die("Cannot select database.");
// Info sent from form
$user = trim($_POST['user']);
$pass = trim($_POST['pass']);
// Protection against MySQL injection
$user = stripslashes($user);
$pass = stripslashes($pass);
$user = mysql_real_escape_string($user);
$pass = mysql_real_escape_string($pass);
$sql = ("SELECT * FROM $tbl_name WHERE username='$user' and password='$pass'");
$result= mysql_query($sql);
$count 0= mysql_num_rows($result);
if($count==1){
// Register $user, $pass send the user to "score.php"
session_register("user");
session_register("pass");
header("location:score.php");
}
else
{
echo "Wrong Username or Password";
}
?>
score.php:
<?php
session_start();
if(!session_is_registered(user)){
header("location:login.html");
}
?>
<html>
<body>
<h1>Login Successful</h1>
</body>
</html>
我希望有人能找到我的错误,谢谢!
答案 0 :(得分:2)
FYI session_register
和session_is_registered
已弃用,将从PHP中删除。还尝试更改您的代码以使用mysqli或PDO。很多articles解释了如何做到这一点。最后,确保您从用户($ _POST数组)中转义输入,因为您永远不知道用户将发送什么,并且您不希望倾向于SQL注入。您确实不希望以明文形式存储密码,因此最好使用SHA1
或MD5
。
编写完上述代码后,您的代码就会变成(您可以直接使用$_SESSION
全局数组):
<强> connect.php:强>
<?php
$db_host = 'localhost';
$db_name = 'app';
$db_user = 'root';
$db_pass = '';
$tbl_name = 'users';
// Connect to server and database
mysql_connect($db_host, $db_user, $db_pass) or die("Unable to connect to MySQL.");
mysql_select_db($db_name) or die("Cannot select database.");
// Info sent from form
$user = trim($_POST['user']);
$pass = trim($_POST['pass']);
// Protection against MySQL injection
$user = stripslashes($user);
$pass = stripslashes($pass);
$user = mysql_real_escape_string($user);
$pass = mysql_real_escape_string($pass);
$sql = "SELECT * FROM $tbl_name "
. "WHERE username = '$user' "
. "AND password = sha1('$pass')";
$result = mysql_query($sql);
// There was an extra 0 here before the equals
$count = mysql_num_rows($result);
if ($count==1)
{
// Register $user, $pass send the user to "score.php"
$_SESSION['user'] = $user;
// You really don't need to store the password unless you use
// it somewhere else
$_SESSION['pass'] = $pass;
header("location: ./score.php");
}
else
{
echo "Wrong Username or Password";
}
?>
<强> score.php:强>
<?php
session_start();
if (!isset($_SESSION['user']))
{
header("location:login.html");
}
?>
<html>
<body>
<h1>Login Successful</h1>
</body>
</html>
答案 1 :(得分:0)
一些事情
将此行更改为我已将其置于其下方的错误检查
$result= mysql_query($sql);
$result= mysql_query($sql) or die(mysql_error());
有可能是sql错误而你没有把它拿起来,所以结果总是有0行
也不确定这条线是否是拼写错误,
中不应该有0$count 0= mysql_num_rows($result);