登录脚本重定向甚至输入错误的密码

时间:2013-05-17 04:27:02

标签: php mysql

如果您发现此问题与其他任何问题类似,我很抱歉,但我已经检查过,找不到合适的解决方案。我的登录检查脚本似乎有问题,因为它指向登录成功页面,即使我输入了错误的密码,但我找不到位置。请帮我。这是代码:

<?php

session_start();

mysql_connect("localhost", "root", "")or die("cannot connect"); 
mysql_select_db("planner")or die("cannot select DB");


$myusername = mysql_real_escape_string ($_POST['username']);
$mypassword = mysql_real_escape_string ($_POST['password']);


$sql="SELECT username,password FROM members WHERE username='$myusername'";



if($result=mysql_query($sql)){
    $found_user=mysql_fetch_array($result);
    if (mysql_num_rows($result)>0){

$_SESSION['myusername']=true; 
header("location:login_success.php");
}

else {
echo "Wrong Username or Password";
}
}
?>

updated script:

<?php

session_start();

mysql_connect("localhost", "root", "")or die("cannot connect"); 
mysql_select_db("planner")or die("cannot select DB");


$myusername = mysql_real_escape_string ($_POST['username']);
$mypassword = md5(mysql_real_escape_string ($_POST['password']));


$sql="SELECT username,password FROM members WHERE username='$myusername' AND password='$mypassword'";




if($result=mysql_query($sql)){
    $found_user=mysql_fetch_array($result);
    if (mysql_num_rows($result)!=0){

$_SESSION['myusername']=true; 
header("location:login_success.php");
}

else {
echo "Wrong Username or Password";
}
}
?>



 now it always says wrong username and password entered even though
    with right username and password entered. And here is the login form:


<form method="post" action="check_login.php">
    <p><input type="text" name="username" value="" placeholder="Username"></p>
    <p><input type="password" name="password" value="" placeholder="Password"></p>

    <p class="submit"><input type="submit" name="submit" value="Login"></p>
  </form>

4 个答案:

答案 0 :(得分:1)

因为您只是检查用户名而不是两者

$sql="SELECT username,password FROM members 
WHERE username='$myusername' AND password = '$mypassword'";

您必须使用SALT转换密码,并且必须检查。

答案 1 :(得分:1)

$sql="SELECT username,password FROM members WHERE username='$myusername'";

应该是

$sql="SELECT username,password FROM members WHERE username='$myusername' AND 
password='$mypassword'";

答案 2 :(得分:0)

您没有检查密码。

$myusername = mysql_real_escape_string ($_POST['username']);
$mypassword = mysql_real_escape_string ($_POST['password']);

$sql="SELECT username,password FROM members WHERE username='$myusername' 
      AND password='$mypassword'";

你的逻辑应该是:

$result=mysql_query($sql);

if($result and mysql_num_rows($result)){
       $_SESSION['myusername']=true; 
       header("location:login_success.php");
}
else {
    echo "Wrong Username or Password";
}

答案 3 :(得分:0)

您尚未检查密码,也没有检查用户名和密码的CASE。

尝试此查询: - 

SELECT username,password FROM members WHERE binary username='$myusername' and binary password ='$mypassword'

使用binary检查用户名和密码的区分大小写。 希望它也能帮助您检查用户名和密码区分大小写。

相关问题
最新问题