Question

尝试在PHP中验证登录但不完全了解它。此代码的问题在于，即使登录无效且与数据库中的数据不匹配，它仍会将其登录。底部的重定向代码工作正常。有什么想法吗？

CODE：

$result = mysql_query("SELECT * FROM user WHERE username='" . $_POST["username"] . "' and password = '" . $_POST["password"] . "'");

$row = mysql_fetch_array($result);
if (is_array($row)) {
    $_SESSION["user_id"] = $row[user_id];
    $_SESSION["user_name"] = $row[username];
} else {
    echo = "Invalid Username or Password!";
}

if ($_SESSION["user_name"] == 'ADMIN') {
    header("Location: admin.php");
} else {
    header("Location: useroptions.php");
}

Answer 1

$result = mysql_query("SELECT * FROM user WHERE username='" . $_POST["username"] . "' and password = '". $_POST["password"]."'");

$row  = mysql_fetch_array($result);

if(is_array($row)) 
{
    $_SESSION["user_id"]   = $row[user_id];
    $_SESSION["user_name"] = $row[username];

    if($_SESSION["user_name"] == 'ADMIN'){
        header("Location: admin.php");
    } else {
        header("Location: useroptions.php");
    }

} else {
    echo "Invalid Username or Password!";
}

Answer 2

看起来你可能有一些逻辑问题，试试这个：

<?php
session_start();

$sql = "SELECT * FROM user WHERE username='" . $_POST["username"] . "' and password = '" . $_POST["password"] . "'";
$query = mysql_query($sql);
$count = mysql_num_rows($query);

if($count === 1)
{
    $row = mysql_fetch_assoc($query);
    $_SESSION["user_id"] = $row[user_id];
    $_SESSION["user_name"] = $row[username];

    if($_SESSION["user_name"] == 'ADMIN')
    {
        header("Location: admin.php");
    }
    else
    {
        header("Location: useroptions.php");
    }
}
else
{
    echo = "Invalid Username or Password!";
}
?>

我强烈建议您考虑使用PDO连接，因为它将更加便携，如果使用得当，参数化查询几乎可以消除安全问题。

所有mysql_ *函数也将被弃用，因此您应该花时间学习最新标准。机械师不会专注于学习碳化发动机，他们将专注于燃油喷射系统。

大红色标志是停止使用这些功能的标志：

enter image description here

Answer 3

试试这个

 $result = mysql_query("SELECT * FROM user WHERE username='" . $_POST["username"] . "' and password = '". $_POST["password"]."'");

$row  = mysql_fetch_array($result);
if(is_array($row)) {
$_SESSION["user_id"] = $row[user_id];
$_SESSION["user_name"] = $row[username];
} 

else {
echo "Invalid Username or Password!";
exit(); 
}

if($_SESSION["user_name"] == 'ADMIN'){
header("Location: admin.php");
exit(); 
}
else {
header("Location: useroptions.php");
exit();
}

Answer 4

现在您的登录将有效您的数据与数据库不匹配，因为您有一点空格username ='“。$ _POST [”username“]。”'和password ='“。$ _ POST [”password“]。 “” 现在试试吧........

  $result = mysql_query("SELECT * FROM user WHERE username='".$_POST["username"]."' and password = '".$_POST["password"]."'");

    $row  = mysql_fetch_array($result);
    if(is_array($row)) {
    $_SESSION["user_id"] = $row[user_id];
    $_SESSION["user_name"] = $row[username];
    } 

    else {
    $message = "Invalid Username or Password!";
    }

    if($_SESSION["user_name"] == 'ADMIN'){
    header("Location: admin.php");
    }
    else {
    header("Location: useroptions.php");
    }

使用PHP验证登录和创建会话

4 个答案: