为什么我的脚本会跳过带有mysql查询的If语句

时间:2014-09-17 02:12:08

标签: php mysql mysqli

我正在尝试为我拥有的项目制作登录脚本。我来自一个开放源代码,我输入了一些并复制/粘贴了一些。我经历了整个事情。我发现在if语句中使用mysql-> prepare的登录功能只是跳过。我不知道它是数据库中的内容还是脚本上的错误。 我得到剧本的地方是这个

http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL

我的测试页面是ertechs.t15.org是用于登录的login.php。 username是test_user@example.com,密码是6ZaxN2Vzm9NUJT2y。 提前致谢。

这就是我遇到问题的地方。这个功能

function login($email, $password, $mysqli) {
      echo "Function login";
     // Using prepared statements means that SQL injection is not possible. 
    $prep_smt = "SELECT id, username, password, salt FROM members WHERE email = ? LIMIT 1";
    $smt = $mysqli->prepare($prep_smt);
   if ($stmt) 
    {
    echo "Tst passed";
    $stmt->bind_param('s', $email);  // Bind "$email" to parameter.
    $stmt->execute();    // Execute the prepared query.
    $stmt->store_result();

    // get variables from result.
    $stmt->bind_result($user_id, $username, $db_password, $salt);
    $stmt->fetch();

    // hash the password with the unique salt.
    $password = hash('sha512', $password . $salt);
    echo "password= =".$password;
    if ($stmt->num_rows == 1) {
    echo "row";
        // If the user exists we check if the account is locked
        // from too many login attempts 

        if (checkbrute($user_id, $mysqli) == true) {
        echo "brute true";
            // Account is locked 
            // Send an email to user saying their account is locked
            return false;
        } else {
        echo "pass match";
            // Check if the password in the database matches
            // the password the user submitted.
            if ($db_password == $password) {
            echo "pass correct";
                // Password is correct!
                // Get the user-agent string of the user.
                $user_browser = $_SERVER['HTTP_USER_AGENT'];
                // XSS protection as we might print this value
                $user_id = preg_replace("/[^0-9]+/", "", $user_id);
                $_SESSION['user_id'] = $user_id;
                // XSS protection as we might print this value
                $username = preg_replace("/[^a-zA-Z0-9_\-]+/", 
                                                            "", 
                                                            $username);
                $_SESSION['username'] = $username;
                $_SESSION['login_string'] = hash('sha512', 
                          $password . $user_browser);
                // Login successful.
                return true;
            } else {
            echo "Password Failed";
                // Password is not correct
                // We record this attempt in the database
                $now = time();
                $mysqli->query("INSERT INTO login_attempts(user_id, time)
                                VALUES ('$user_id', '$now')");
                return false;
            }
        }
    } else {
    echo "user doesnt exist";
        // No user exists.
        return false;
    }
    echo "whatever";
}
echo "end Function Login";
}

1 个答案:

答案 0 :(得分:0)

$smt = $mysqli->prepare($prep_smt);
if ($stmt)

请注意t中缺少的$stmt

相关问题
最新问题