mysql_fetch assoc拒绝返回密码行。需要帮助

时间:2010-02-26 13:06:54

标签: php

用户名行完全出来但密码行拒绝通过。

我在这里不知所措。

有人知道解决方案是什么吗?

这是我的代码:: 

<?php

//Mass include file
include ("includes/mass.php");

//This is the login script
//Grabbing the login values and storing them

$username = $_POST['username'];
$password = $_POST['password'];
$submit   = $_POST['submit'];

if (isset($submit))
{
    if (strlen($username)<2) // put || ($username==(same as value on the database)
    {
        echo ("<br>You must enter a longer username</br>");
    }
    elseif (strlen($password)<=6)
    {
        echo ("<br>You must enter a longer password<br>");
    }
    else
    {
        $sql = "SELECT * FROM user WHERE username = '$username'";
        $query = mysql_query($sql);
        $numrows = mysql_num_rows($query);

        if ($numrows != 0)
        {
            while ($row = mysql_fetch_assoc($query))
                $dbusername = $row['username'];
            $dbpassword = $row['password'];         

            if ($dbusername == $username && $dbpassword == $password)
            {
                echo "your in!";
            }
            else
            {
                echo "Wrong info";
            }
        }
        else
        {
            die ("That username doesnt exist");
        }
    }
}

?>

3 个答案:

答案 0 :(得分:4)

一段时间后你有一个缺失的括号。

两个

$dbusername = $row['username'];
$dbpassword = $row['password'];

应该在while循环内,而不是这种情况。

您需要执行以下操作:

while ($row = mysql_fetch_assoc($query)) {

    $dbusername = $row['username'];
    $dbpassword = $row['password'];           

    if ($dbusername == $username && $dbpassword == $password) {
        echo "your in!";
    }
....

补充马太所说的话:

您不应向用户显示“用户名不存在”等消息。这为想要闯入的黑客提供了有价值的信息。如果用户提供了错误的用户名和/或错误的密码,您应该显示“无效的用户名或密码”。

答案 1 :(得分:0)

如果用户名不是唯一的,您的脚本将失败。可能就是这种情况吗?

除此之外,将密码存储为纯文本而不是清理用户输入:非常糟糕的想法......

修改顺便说一下,为什么不在查询中检查有效的用户名/密码组合:

... WHERE username='" . mysql_real_escape_string($username) . "'
    AND password='" . some_hashing_function($password) .  "'";

另一个编辑:您必须仔细查看正在发生的事情;我的初始答案(非唯一用户ID)可能是个问题,但@ codaddict的答案已经可以解决您的问题了。

基本上,如果没有大括号,你的陈述是这样的:

while ($row = mysql_fetch_assoc($query))
    $dbusername = $row['username'];
    $dbpassword = $row['password'];         
    ....

与php相同:

while ($row = mysql_fetch_assoc($query))
{
    $dbusername = $row['username'];
}
$dbpassword = $row['password'];
...

所以当你想要填充你的$ dbpassword时,$ row已经是空的。

答案 2 :(得分:0)

I like the suggestion about the {} that normally encompasses the code that occurs in a while loop. Id replace 

while ($row = mysql_fetch_assoc($query))
                $dbusername = $row['username'];
            $dbpassword = $row['password']; 

with

while ($row = mysql_fetch_assoc($query))
{
   $dbusername = $row['username'];
   $dbpassword = $row['password']; 
}
// this lets the loop finish so $dbusername and $dbpassword are potentially set
// so you can contine with your if statements

Another thing to check is your html - check your password field looks something
like <input type="password" name="password" />

You could always try echo $password; immediately after $_POST['password'] to see 
if it existed in the first place. Then echo any of your variables after they have
been set to see if they exist.
相关问题
最新问题