我可以注册用户但是当我尝试使用它时,我遇到了2个问题:
1:我可以使用用户名登录,但我也可以在密码输入部分输入我想要的内容,但我仍然登录(它不会检查数据库中的真实密码)
2:当我尝试使用电子邮件和密码组合时,我可以登录,我只收到错误消息。
我认为问题出在我的$query select FROM members bla bla ...但我不确定。
很抱歉这样的菜鸟。
这是register.php
<form method="post" action="">
<input type="text" name="username" placeholder="USERNAME">
<input type="password" name="password1" placeholder="PASSWORD">
<input type="password" name="password2" placeholder="CONFIRM PASSWORD">
<input type="text" name="email" placeholder="E-MAIL">
<input type="date" name="age" id="age" >
<input type="radio" value="male" name="gender" checked>
<input type="radio" value="female" name="gender">
<input type="submit" value="SIGN UP" name="create_member">
</form>
<?php
require_once ("core/connect.php");
if(isset($_POST['create_member']))
{
$username = mysqli_real_escape_string($dbc, trim ($_POST['username']));
$password1 = mysqli_real_escape_string($dbc, trim ($_POST['password1']));
$password2 = mysqli_real_escape_string($dbc, trim ($_POST['password2']));
$email = mysqli_real_escape_string($dbc, trim ($_POST['email']));
$age = mysqli_real_escape_string($dbc, trim ($_POST['age']));
$gender = mysqli_real_escape_string($dbc, trim ($_POST['gender']));
if($password1 != $password2)
{
echo 'THE TWO PASSWORDS ARE NOT THE SAME';
}
$hash = hash('sha256', $password1);
function createSalt()
{
$text = md5(uniqid(rand(), true));
return substr($text, 0, 3);
}
$salt = createSalt();
$password = hash('sha256', $salt . $hash);
if(!empty($username) && !empty($email) && !empty($password) && !empty($age) && !empty($gender))
{
$query_ind = "INSERT INTO members VALUES ('', '$username', '$password', '$email', '$age' , '$gender', '$salt', NOW())";
mysqli_query($dbc, $query_ind);
}
else
{
echo "FILL OUT THE FORM PLEASE";
}
}
?>
这是login.php
<?php
$error_msg = '';
if (isset($_POST['member_login']))
{
// Grab the user-entered log-in data
$member_username = mysqli_real_escape_string($dbc, trim($_POST['username']));
$member_email = mysqli_real_escape_string($dbc, trim($_POST['username']));
$member_password = mysqli_real_escape_string($dbc, trim($_POST['password']));
if (!empty($member_username) && !empty($member_password))
{
// Look up the username and password in the database
$query = "SELECT * FROM members WHERE member_username = '$member_username' OR member_email = '$member_email' AND member_password = '$member_password'"; // SHA('$member_password')";
$data = mysqli_query($dbc, $query);
if (mysqli_num_rows($data) == 1 )
{
// The log-in is OK so set the user ID and username session vars (and cookies), and redirect to the home page
$row = mysqli_fetch_array($data);
$_SESSION['member_id'] = $row['member_id'];
$_SESSION['member_username'] = $row['member_username'];
$_SESSION['member_email'] = $row['member_email'];
setcookie('member_id', $row['member_id'], time() + (60 * 60 * 24 * 7)); // expires in 7 days
setcookie('member_username', $row['member_username'], time() + (60 * 60 * 24 * 7)); // expires in 7 days
setcookie('member_email', $row['member_email'], time() + (60 * 60 * 24 * 7)); // expires in 7 days
header('Location: ' . $_SERVER['PHP_SELF'] . '?page=mlog_in');
}
else
{
// The username/password are incorrect so set an error message
$error_msg = ' INCORRECT INFOMATION, TRY AGAIN. ';
}
}
else
{
// The username/password weren't entered so set an error message
$error_msg = ' INCORRECT INFOMATION, TRY AGAIN. ';
}
}
mysqli_close($dbc);
if(!isset($_SESSION['member_id']))
{
?>
<div class="sixteen columns">
<h2>LOGIN</h2>
<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post" class="sixteen columns">
<input required type="text" name="username" placeholder="USERNAME / E-MAIL"/>
<input required type="password" name="password" placeholder="PASSWORD" />
<input required type="submit" name="member_login" value="LOGIN" />
<input type="checkbox" name="remember" value="1"><span>REMEMBER ME</span>
<?php
echo '<p>' . $error_msg . '</p>';
?>
<?php
echo '<a href="index.php?page=register" title="CLICK TO SIGN UP">MAKE A PROFILE</a>';
?>
</form>
</div>
<?php
}
else
{
$profile = '';
if(isset($_GET['profile']))
{
$profile = $_GET['profile'];
}
?>
<?php
switch($profile)
{
default :
require_once 'profile/userpage.php';
break;
}
}
?>
答案 0 :(得分:1)
您的登录有两个问题。两者都与你的SELECT有关,但出于不同的原因。
首先,逻辑运算符AND和OR就是:运算符。像数学运算符一样,它们有一个操作顺序。 与在加法之前进行乘法的方式相同,在OR之前执行AND。
现在让我们仔细看看你的SELECT,同时用一些变量代替它们。
WHERE username=$username OR email=$email AND password=$password
如果我们遵循操作顺序,则首先评估“email = $ email AND password = $ password”。如果他们尝试使用用户名登录,则这将始终为false,因为用户名不等于电子邮件。新等式如下所示:
WHERE username=$username OR false
由于他们尝试使用用户名登录,因此表达式的第一部分将评估为true,这意味着整个表达式将评估为true。这就是为什么当您尝试使用用户名登录时,使用的密码无关紧要。
现在如果他们尝试使用电子邮件登录该怎么办?在这种情况下,您忘记了密码的密码,因此数据库密码永远不会与密码变量匹配。
希望能够解决它。
答案 1 :(得分:0)
您的SQL查询与member_username = '$member_username'或member_email = '$member_email' AND member_password = '$member_password'匹配
尝试将其更改为
SELECT *
FROM members
WHERE member_password = '$member_password'
AND (member_username = '$member_username' OR member_email = '$member_email');
有关详细信息,请参阅Operator Precedence in Mysql。