获得完全匹配

时间:2014-06-06 21:40:20

标签: php sql

我想找到完全匹配的用户名和密码,但这些查询让我登录即使我写了值的第一个字符(例如,如果密码是“果冻”,只写“jel”会让我登录)。有什么问题?

    //conn db
    $conn = new mysqli($DBServer, $DBUser, $DBPass, $DBName);

    /* check connection */
    if ($conn->connect_errno) {
        printf("Connect failed: %s\n", $conn->connect_error);
        exit();
    }
    //query
    $result = $conn->query("SELECT userName FROM Users WHERE userName='" . $_POST["user"] . "'");

    //verif user
    if (!$result->num_rows) {
        echo '<span>Username ' . $_POST["user"] . ' doesn\'t exist in the database. Do you want to  <a class="underl" href="register.php">register a new one?</a></span><br>';
    } //verific daca parola e buna(+recover pass)
    //parola goala?
    else if (empty($_POST["pwd"])) echo '<span>Please enter the password associated to your username to log in. If you forgot it you can <a class="underl" href="recover.php">recover it.</a></span><br>';
    else {//verific daca parola e buna
        /* free result set */
        $result->close();
        //query
        $result = $conn->query("SELECT password FROM Users WHERE password='" . $_POST["pwd"] . "'");
        //verif
        if (!$result->num_rows)
            echo '<span>Entered password doesn\'t match for the username ' . $_POST["user"] . '. If you forgot it you can <a class="underl" href="recover.php">recover it.</a></span><br>';
else //login...}

1 个答案:

答案 0 :(得分:1)

您的第二个查询对您要检查的用户一无所知。这几乎允许用户以任何人的身份登录,如果他们在db中知道至少1个密码。

$result = $conn->query("SELECT password FROM Users WHERE password='" . $_POST["pwd"] . "' AND username = '...'");