我是初学者,我正在努力学习。我正在使用php,mysqli创建简单的登录表单。我创建了数据库,需要它的所有信息。我选择了下面的PHP代码试图在我的页面上登录用户,但是发生的事情是,在输入正确的电子邮件和密码之后,它只是让我回到同一页面(index.php),好像信息似乎不正确但我知道就像我把它们放在数据库中一样,它只是不想带我到下一页(home.php)。有人可以看看我的代码,看看我做错了什么。谢谢。
登录表单(index.php):
<form id="form" method="post" action="login_process.php">
<input type="text" name="email" size="15" placeholder="email" required="required" />
<input type="password" name="password" size="15" placeholder="Password" required="required" />
<input id="loginButton" type="submit" name="submit" value="LOGIN" />
</form>
db_config.php:
define("DBHOST", "localhost");
define("DBUSER", "root");
define("DBPASS", "");
define("DBNAME", "aroundtheworld");
login_process.php:
require("db_config.php");
$email = $_POST['email'];
$password = $_POST['password'];
$conn = mysqli_connect(DBHOST, DBUSER, DBPASS, DBNAME);
$email = mysqli_real_escape_string($conn, $email);
$query = "SELECT * FROM users WHERE email = '$email'";
$result = mysqli_query($conn, $query);
if(mysqli_num_rows($result) == 0){
header("Location: index.php");
}
$userData = mysqli_fetch_array($result, MYSQL_ASSOC);
$hash = hash('sha256', $userData['salt'] . hash('sha256', $password));
if($hash != $userData['password']){
header("Location: index.php");
}else{
header("Location: home.php");
}
答案 0 :(得分:2)
您不能只在字符串中使用变量,您需要将它们链接在一起。
所以你的
"SELECT * FROM users WHERE email = '$email'";
必须
"SELECT * FROM users WHERE email = " . $email;
但这是不安全和不良的做法!!
你对SQL Injection非常感激!
您至少需要使用Prepared Statements。
从链接中获取如何编写此类查询的示例
$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':value', $value);
// insert one row
$name = 'one';
$value = 1;
$stmt->execute();