Question

您好我正在登录页面，我有一个问题，当我输入用户名并登录页面更改为echo错误的用户名或密码。

它似乎没有进入login_success.php，这导致认为问题是sql语法，但我还没有找到答案为什么。我也认为它可能是if（$ count == 1）{并且尝试过（$ count＆gt; 1）{没有成功。

我搜索了网并尝试了几种不同的方法，但没有任何效果。我是新手，并将研究停止sqlinjection的方法，但是这个网站不是现场的，只是为了练习:)这个社区对我的学习很有帮助，非常感谢大家提前

HTML LoginPage.html

<form id=login name="login" action="login.php" method="post">
   <fieldset id=fs>
      <legend>Vault Security Console:</legend>
      <!-- legeng tage creates a header title for the fieldset box, filedset pulls all data in the tag to gether with a box around it. -->
      UserName: <input type="text" name="username"> <br>
      Password: <input type="password" name="password"> <br>
      <input type="submit" value="Login"> <input type="submit" value="Register"> 
   </fieldset>
</form>

PHP-login.php中

<?php
   // Create connection
   $con=mysqli_connect('172.16.254.111',"user","password","Faults"); //(connection location , username to sql, password to sql, name of db)

   // Check connection
   if (mysqli_connect_errno($con))
   {
    echo "Failed to connect to MySQL: " . mysqli_connect_error();
   }
   //below is the variables from the login form
   $username = $_POST['username'];

   $password = md5(strip_tags($_POST['password']));

   $sql="SELECT * FROM Users WHERE username='.addslashes($username).' and password='.addslashes($password).'";
   $result=mysqli_query($sql);   

   //Mysql_num_row is counting table row
   $count=mysqli_num_rows($result);   

   if($count==1){   
   session_register("username");
     session_register("password"); 
   header('location:login_success.php');
   }
   //if false echo below
   else {
    echo "<H2>Wrong Username or Password</H2>";
   }   
?>

Answer 1

试试这个。

<?php
  //below is the variables from the login form
  $username = mysqli_real_escape_string($con, $_POST['username']);
  $password = md5($_POST['password']);

  $sql="SELECT * FROM Users WHERE username='$username' and password='$password'";
  $result=mysqli_query($sql);   
?>

Answer 2

$sql="SELECT * FROM Users WHERE username='".addslashes($username)."' and password='".addslashes($password)."'";

请修改上述查询语句。

Answer 3

我认为用户名或密码存在问题您必须按照以下步骤操作： -

选择与登录用户对应的密码
将其与脚本生成的编码密码进行比较

 $username = mysqli_real_escape_string($con, $_POST['username']);
 $recievedPassword = md5($_POST['password']);

$qry="select password from Users where username=$username";
$row=mysqli_query($qry);

$result=mysqli_fetch_assoc($result);
$dbPassword=$result['passsword'];

if($recievedPassword==$dbPassword){
    echo "password matched"; 
}
else{
    echo "password mismatch, Please not encryped in db or there is any space..";
}

php登录脚本使用数据库

3 个答案: