我想找到完全匹配的用户名和密码,但这些查询让我登录即使我写了值的第一个字符(例如,如果密码是“果冻”,只写“jel”会让我登录)。有什么问题?
//conn db
$conn = new mysqli($DBServer, $DBUser, $DBPass, $DBName);
/* check connection */
if ($conn->connect_errno) {
printf("Connect failed: %s\n", $conn->connect_error);
exit();
}
//query
$result = $conn->query("SELECT userName FROM Users WHERE userName='" . $_POST["user"] . "'");
//verif user
if (!$result->num_rows) {
echo '<span>Username ' . $_POST["user"] . ' doesn\'t exist in the database. Do you want to <a class="underl" href="register.php">register a new one?</a></span><br>';
} //verific daca parola e buna(+recover pass)
//parola goala?
else if (empty($_POST["pwd"])) echo '<span>Please enter the password associated to your username to log in. If you forgot it you can <a class="underl" href="recover.php">recover it.</a></span><br>';
else {//verific daca parola e buna
/* free result set */
$result->close();
//query
$result = $conn->query("SELECT password FROM Users WHERE password='" . $_POST["pwd"] . "'");
//verif
if (!$result->num_rows)
echo '<span>Entered password doesn\'t match for the username ' . $_POST["user"] . '. If you forgot it you can <a class="underl" href="recover.php">recover it.</a></span><br>';
else //login...}
答案 0 :(得分:1)
您的第二个查询对您要检查的用户一无所知。这几乎允许用户以任何人的身份登录,如果他们在db中知道至少1个密码。
$result = $conn->query("SELECT password FROM Users WHERE password='" . $_POST["pwd"] . "' AND username = '...'");