Question

我正在尝试将数据从我的Android应用程序发送到php服务器进行登录....但它反复我$ success = 1和＃message = login成功....即使我输入错误的用户名和密码.. ......任何人都可以帮助我吗？

if (isset($_POST['username']) && isset($_POST['password'])) {
    $username = $_POST['username'];
    $password = $_POST['password'];

    echo $username;
    echo $password;



    // include db connect class
    require_once __DIR__ . '/db_connect.php';

    // connecting to db
    $db = new DB_CONNECT();

    // mysql checking row
    $result = mysql_query("SELECT * FROM user WHERE username = '$username' AND password = '$password'")or die(mysql_error());

    // check if row exist or not
    if ($result == true) {
        // row exist in database
        $response["success"] = 1;
        $response["message"] = "Login successfully.";

        // echoing JSON response
        echo json_encode($response);
    } else {
        // row not exist
        $response["success"] = 0;
        $response["message"] = "Oops! An error occurred.";

        // echoing JSON response
        echo json_encode($response);
    }
    } else {
// required field is missing
$response["success"] = 0;
$response["message"] = "Required field(s) is missing";

// echoing JSON response
echo json_encode($response);
}

在android方面

：

      class NewSignup extends AsyncTask<String, String, String> {

    /**
     * Creating product
     * */
    protected String doInBackground(String... args) {

        // Building Parameters
        List<NameValuePair> params = new ArrayList<NameValuePair>();
        params.add(new BasicNameValuePair("username", username_editTextString));
        params.add(new BasicNameValuePair("password", password_editTextString));

        // getting JSON Object
        // Note that create product url accepts POST method
        json = jsonParser.makeHttpRequest(url_create_login,
                "POST", params);

        // check log cat fro response
        Log.i("Create Response", json.toString());

        // check for success tag
        try {
            int success = json.getInt(TAG_SUCCESS);

            if (success == 1) {
                // successfully login
                Intent i = new Intent(getApplicationContext(), Next.class);
                startActivity(i);

                // closing this screen
                finish();
            } else {
                // failed to login
            }
        } catch (JSONException e) {
            e.printStackTrace();
        }

        return null;
    }

Answer 1

$result = mysql_query("SELECT * FROM user WHERE username = '$username' AND password = '$password'")or die(mysql_error());

// check if row exist or not
if ($result == true) {

这不是你想要的。如documentation for mysql_query中所述，无论结果集中是否有任何行，它都将返回SELECT语句的资源。

您可以使用mysql_num_rows获取从mysql_query返回的结果集中的行数，以及您可能的内容：

// check if row exist or not
if (mysql_num_rows($result) == 1) {

此外，您的代码很容易受到SQL注入攻击。我强烈建议您阅读prepared statements上的一些信息。

Answer 2

关于你的php的一些指示

使用mysqli - 在5.5 +
使用预准备语句来避免SQL注入漏洞

所以登录代码应该是

    // Using prepared statements means that SQL injection is not possible. 
    if ($stmt = $mysqli->prepare("SELECT username, password
                  FROM user 
                                  WHERE username = ? LIMIT 1")) {
        $stmt->bind_param('s', $username);  // Bind "$username" to parameter.
        $stmt->execute();    // Execute the prepared query.
        $stmt->store_result();

        // get variables from result.
        $stmt->bind_result($username,$db_password);
        $stmt->fetch();
        if ($stmt->num_rows == 1 && $db_password == $password)
        {
          $response["success"] = 1;
          $response["message"] = "Login successfully.";


       } else {
         // failed to find row and match password 
         $response["success"] = 0;
         $response["message"] = "Oops! An error occurred.";


}


echo json_encode($response);

要与mysqli连接，请使用mysqli_connect http://uk3.php.net/manual/en/function.mysqli-connect.php

从Android应用程序发送数据到PHP服务器时接受错误的用户名和密码？

2 个答案: