尝试在PHP中验证登录但不完全了解它。此代码的问题在于,即使登录无效且与数据库中的数据不匹配,它仍会将其登录。底部的重定向代码工作正常。有什么想法吗?
CODE:
$result = mysql_query("SELECT * FROM user WHERE username='" . $_POST["username"] . "' and password = '" . $_POST["password"] . "'");
$row = mysql_fetch_array($result);
if (is_array($row)) {
$_SESSION["user_id"] = $row[user_id];
$_SESSION["user_name"] = $row[username];
} else {
echo = "Invalid Username or Password!";
}
if ($_SESSION["user_name"] == 'ADMIN') {
header("Location: admin.php");
} else {
header("Location: useroptions.php");
}
答案 0 :(得分:1)
$result = mysql_query("SELECT * FROM user WHERE username='" . $_POST["username"] . "' and password = '". $_POST["password"]."'");
$row = mysql_fetch_array($result);
if(is_array($row))
{
$_SESSION["user_id"] = $row[user_id];
$_SESSION["user_name"] = $row[username];
if($_SESSION["user_name"] == 'ADMIN'){
header("Location: admin.php");
} else {
header("Location: useroptions.php");
}
} else {
echo "Invalid Username or Password!";
}
答案 1 :(得分:1)
看起来你可能有一些逻辑问题,试试这个:
<?php
session_start();
$sql = "SELECT * FROM user WHERE username='" . $_POST["username"] . "' and password = '" . $_POST["password"] . "'";
$query = mysql_query($sql);
$count = mysql_num_rows($query);
if($count === 1)
{
$row = mysql_fetch_assoc($query);
$_SESSION["user_id"] = $row[user_id];
$_SESSION["user_name"] = $row[username];
if($_SESSION["user_name"] == 'ADMIN')
{
header("Location: admin.php");
}
else
{
header("Location: useroptions.php");
}
}
else
{
echo = "Invalid Username or Password!";
}
?>
我强烈建议您考虑使用PDO连接,因为它将更加便携,如果使用得当,参数化查询几乎可以消除安全问题。
所有mysql_ *函数也将被弃用,因此您应该花时间学习最新标准。机械师不会专注于学习碳化发动机,他们将专注于燃油喷射系统。
大红色标志是停止使用这些功能的标志:
答案 2 :(得分:0)
试试这个
$result = mysql_query("SELECT * FROM user WHERE username='" . $_POST["username"] . "' and password = '". $_POST["password"]."'");
$row = mysql_fetch_array($result);
if(is_array($row)) {
$_SESSION["user_id"] = $row[user_id];
$_SESSION["user_name"] = $row[username];
}
else {
echo "Invalid Username or Password!";
exit();
}
if($_SESSION["user_name"] == 'ADMIN'){
header("Location: admin.php");
exit();
}
else {
header("Location: useroptions.php");
exit();
}
答案 3 :(得分:0)
现在您的登录将有效您的数据与数据库不匹配,因为您有一点空格username ='“。$ _POST [”username“]。”'和password ='“。$ _ POST [”password“]。 “” 现在试试吧........
$result = mysql_query("SELECT * FROM user WHERE username='".$_POST["username"]."' and password = '".$_POST["password"]."'");
$row = mysql_fetch_array($result);
if(is_array($row)) {
$_SESSION["user_id"] = $row[user_id];
$_SESSION["user_name"] = $row[username];
}
else {
$message = "Invalid Username or Password!";
}
if($_SESSION["user_name"] == 'ADMIN'){
header("Location: admin.php");
}
else {
header("Location: useroptions.php");
}