我有一个while循环遍历从SQL查询返回的行。该行中特定列的值存储在数组中。然后迭代该数组,并将每个元素与来自用户的输入进行比较。如果输入与数组元素匹配,则布尔值变为true。我正在尝试这样做,以便用户可以输入密码来访问特定页面。但它只是不起作用。我已经打印了数组中的所有值以及输入,所以我知道那里没有问题。但由于某种原因,if语句只是不比较它们。这是代码:
if (isset( $_POST['ok'])) {
$password = $_POST['pass'];
$matched = false;
$pw = array();
mysql_connect("localhost", "xxx", "xxx")or die("Error");
mysql_select_db("details")or die("Error");
$query="SELECT * FROM members";
$result=mysql_query($query);
while ($row = mysql_fetch_assoc($result) ){
$pw[] = $row["pass"];
}
foreach($pw as $p){
if(strcmp($p, $password) == 0){
$matched = true;
}
}
if ($matched==true) {
//Membership page
} else {
//Error message
}
} else {
....
答案 0 :(得分:1)
将查询更改为此类
会更容易,更有效$dbh = mysql_connect("localhost", "xxx", "xxx") or die("Error");
mysql_select_db("details", $dbh ) or die("Error");
$pass = mysql_real_escape_string( $_POST['pass'], $dbh );
$user = mysql_real_escape_string( $_POST['user'], $dbh );
$sqlQuery = <<< EOQ
SELECT
*
FROM
`members`
WHERE
`user` COLLATE utf8_bin = '{$user}' COLLATE utf8_bin
AND
`password` COLLATE utf8_bin = '{$pass}' COLLATE utf8_bin
EOQ;
$result = mysql_query( $sqlQuery );
if ( $result and ( mysql_num_rows( $result ) === 1 ) {
echo "success";
$userDetails = mysql_fetch_assoc( $result );
} else {
echo "username or password wrong";
}
编辑:更新密码和用户名检查,以便在任何情况下都区分大小写
Edit2:上面的评论提醒不要存储密码明文。要更改为哈希密码
UPDATE members SET pass = SHA1( pass );
然后将支票更改为
... AND pass = SHA1( '{$pass}' )
答案 1 :(得分:0)
找到匹配后你需要休息一下,以便$ matched等于true。
if ( isset( $_POST['ok'] ) ) {
$password = $_POST['pass'];
$matched = false;
$pw = array();
mysql_connect("localhost", "xxx", "xxx")or die("Error");
mysql_select_db("details")or die("Error");
$query="SELECT * FROM members";
$result=mysql_query($query);
while ($row = mysql_fetch_assoc($result) ){
$pw[] = $row["pass"];
}
foreach($pw as $p){
if(strcmp($p, $password) == 0){
$matched = true; // found match so break out and do the membership.
break;
}
}
if ($matched==true) {
//Memebrship page
} else {
//Error message
}
} else {
....
答案 2 :(得分:0)
Sugestions:
1)用PDO替换直接的mysql函数调用:(这不需要任何转义,因为PDO将处理所有内容)
$mysql_host = "localhost";
$mysql_user = "xxx";
$mysql_password = "xxx";
$mysql_database = "details";
$dbLink = new PDO("mysql:host=$mysql_host;dbname=$mysql_database;charset=utf8", $mysql_user, $mysql_password, array(PDO::ATTR_PERSISTENT => true));
$query = db()->prepare("select * from members WHERE pass = ? limit 1");
$query->execute(array($_POST['pass']));
$query->setFetchMode(PDO::FETCH_ASSOC);
$myMember = $query->fetch();
$query->closeCursor();
2)如果您想坚持使用代码,可以使用$pwd = mysql_real_escape_string($_POSt['pass'])
作为发布的密码,然后选择包含转发的已接收密码$pwd
的行。另外,不要忘记mysql_free_result($result);
!!!
3)创建密码哈希,因此您不需要使用mysql_real_escape_string。使用$pwHash = md5($_POST['pass'])
或$pwHash = sha1($_POST['pass'])
或任意组合。
4)请对齐您的代码。这将使人们回答您的问题(提供帮助)以及将来的维护(您或其他人)更具可读性;相信我,您将在2 - 3年内忘记代码。
5)你的代码应该有效,我不知道为什么它没有。尝试为$pw
添加var_dump,并在密码匹配时在屏幕上写一些内容。也许你换了网页(有错误的成员)
答案 3 :(得分:0)
为什么foreach循环?你可以这样做:
if (isset( $_POST['ok'])) {
$password = $_POST['pass'];
$matched = false;
$pw = array();
mysql_connect("localhost", "xxx", "xxx")or die("Error");
mysql_select_db("details")or die("Error");
$query="SELECT * FROM members";
$result=mysql_query($query);
while ($row = mysql_fetch_assoc($result) ){
$pw[] = $row["pass"];
}
$pw_tmp = flip_array($pw);
if(isset($pw_tmp[$password])){
//Membership page
}else{
//Error message
}
}else{
// something else ...
}