PHP登录问题

时间:2013-03-14 13:36:28

标签: mysql login phpmyadmin

我正在创建一个链接到数据库的登录,在输入信息时,登录然后运行一个空白页面并且什么都不做,下面是我的代码:

    include "conn.php";
    session_start();

    $email_address = $_POST['email_address'];
    $password = $_POST['password'];

    if ($email_address && $password)
    {
    $connect = mysql_connect("computing","i7906890","password") or die ("couldn't   connect!");
    mysql_select_db("i7906890") or die ("couldn't find database");
$guery = mysql_query("SELECT * FROM UserAccount WHERE email_address = '$email_address'");

if ($numrows!=0) {
   //code to login
   while ($row = mysql_fetch_assoc($query)) //Password Check
   {
       $dbemail_address = $row['email_address']
       $dbpassword = $row['password']
   }
   //Check if they match
   if ($email_address==$dbemail_address&&$password==$dbpassword)
   {
      echo "You're in! <a href='user_page.php'>click</a> here to enter the members page";
      $_SESSION['user']==$dbemail_address;
   }
   else
      echo "Incorrect Password!";
}
else
   die("That user doesn't exist!");
}
else
   die("Please enter an email address and password!"); 
?>

此处还有我的表格

<form action = "login2.php" method ="POST">
        <p><img src="images/space.gif" width="70px" height="1px"/><strong>Log in</strong> or <a href="register_form.php"><strong>Register</strong></a><br>
            Email:<img src="images/space.gif" width="34px" height="1px"/><input type="text" name="user" size="33"> <br>
            Password:<img src="images/space.gif" width="10px" height="1px"/><input type="password" name="password" size="33"> <br>
        <div align="center">
        <input type="submit" value="Log in" class="button">
        </div>
    </p>
    </form>

请帮忙! SOS

2 个答案:

答案 0 :(得分:2)

您在代码中遗漏了一些;,导致脚本丢失并且不显示任何内容。 (特别是在while循环中,但也在其他地方检查。)

编辑:您可能还想考虑丢失while循环,并将密码标准放在SQL语句中以获得更好的性能。就像另一张海报所说的那样,注意SQL注入。

答案 1 :(得分:0)

Please help! SOS是的,你在深陷......但不是因为你所期待的......

即使您的代码运行良好,您也是第5或第6个问题,使用不推荐使用的 mysql _ 函数在PHP登录表单中提出SQL injection大致相同的问题。

此外, $guery $query 不一样...检查 q g 字母......

这一行:

$guery = mysql_query("SELECT * FROM UserAccount WHERE email_address = '$email_address'");

至少应该

$query = mysql_query("SELECT * FROM UserAccount WHERE email_address = '".mysql_real_escape($email_address)."'");

两者都是正确的,并避免注射...

但你应该真正通过PDO使用预备语句,如下所示:

try {
    //open connection, this is different than in the old functions
    $dbh = new PDO('mysql:host=localhost;dbname=test', $user, $pass);

    //***running query
    //**step1: create statement
    $stmt = $dbh->prepare('SELECT * FROM UserAccount WHERE email_address = :email'); //notice parameter prefixed with ':'

    //**step2: bind values (be sure to also check out the bindParameter() function too!)
    $stmt->bindValue(':email', $email_address);

    //**step3: exexcute statement
    $stmt->execute();

    //**step4: process results
    $result = $stmt->fetch(PDO::FETCH_OBJ);

    if($result->PASSWORD==$password) {
      //logged in, do whatever reuqired
    }

    $dbh = null; //don't let it slip out of our hands
} catch (PDOException $e) {
    print "Error!: " . $e->getMessage() . "<br/>";
    die();
}

另外,另一个警告:不要存储明文密码。即使存储MD5哈希这些天也超出范围,并且SHA1也被宣布为弱...

相关问题
最新问题