如何检查用户名和密码是否与数据库匹配

时间:2014-12-04 15:37:01

标签: php mysql sql forms

我的代码检查数据库中是否存在用户名,但是如果密码不正确或为空,用户仍然可以登录(重定向到welcome.php)。我如何实现它以便密码必须正确以及用户名?

<?php 
if($_SERVER['REQUEST_METHOD'] === 'POST'){

    $servername = "localhost";
    $username = "root";
    $password = "root";
    $dbname = "logreg";

// Create connection
    $conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
    if ($conn->connect_error) {
        die("Connection failed: " . $conn->connect_error);
    }

    $user = $conn->real_escape_string(htmlspecialchars(trim($_POST['username'])));

    $query = "SELECT `username` FROM `users` WHERE `username` = '$user'";

    $result = $conn->query($query);
    if($result->num_rows > 0) {
       header('Location:welcome.php');
       die();
    }
    else $message = 'user does not exist';
}
?>

<html>
    <head>    
     <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
        <title>Log In</title>
        <link type="text/css" rel="stylesheet" href="css/bootstrap.css"/>
        <link type="text/css" rel="stylesheet" href="css/bootstrap.min.css"/>
        <link type="text/css" rel="stylesheet" href="css/bootstrap-theme.css"/>
        <link type="text/css" rel="stylesheet" href="css/bootstrap-theme.min.css"/>
        <link type="text/css" rel="stylesheet" href="css/styles.css"/>
        <link href='http://fonts.googleapis.com/css?family=Open+Sans' rel='stylesheet' type='text/css'>
    </head>
    <body>  
        <div class="header">
             <div class="body">

        <div id="loginbox" class="mainbox col-md-6 col-md-offset-3 col-sm-8 col-sm-offset-2">                    
            <div class="panel">
                    <div class="panel-heading">
                        <div class="panel-title"><h1>Sign In</h1></div>
                            <div style="float:right; font-size: 80%; position: relative; top:-10px"><a href="passreset.html">Forgot password?</a></div>
                    </div>    

                    <div style="padding-top:30px" class="panel-body" >
                        <div style="display:none" id="login-alert" class="alert alert-danger col-sm-12"></div>

                        <form id="loginform" class="form-horizontal" role="form" action = "index.php" method = "post" enctype="multipart/form-data">
                                 <h4><?php if(isset($message)) : ?>
                    <div class="error"><?php echo $message; ?></div>
                <?php endif; ?></h4>
                            <div style="margin-bottom: 25px" class="input-group">
                                        <span class="input-group-addon"><i class="glyphicon glyphicon-user"></i></span>
                                        <input id="username" type="text" class="form-control" name="username" value="" placeholder="username">       </div>

                            <div style="margin-bottom: 25px" class="input-group">
                                        <span class="input-group-addon"><i class="glyphicon glyphicon-lock"></i></span>
                                        <input id="login-password" type="password" class="form-control" name="password" placeholder="password">
                                    </div>

                            <div class="input-group">
                                      <div class="checkbox">
                                        <label>
                                          <input id="login-remember" type="checkbox" name="remember" value="1"> Remember me
                                        </label>
                                      </div> 

                             <div style="margin-top:10px" class="form-group">
                                    <!-- Button -->
                                    <div class="col-sm-12 controls">
                                      <input type = "submit" value = "Log In"></a>
                                    </div>
                                </div>
                                    </div>

                                <div class="form-group">
                                    <div class="col-md-12 control">
                                        <div style="border-top: 1px solid#888; padding-top:15px; font-size:85%">
                                            Don't have an account! 
                                        <a href="register.html" onClick="$('#loginbox').hide(); $('#signupbox').show()">
                                            Sign Up Here
                                        </a>
                                        </div>
                                    </div>
                                </div>    
                            </form>     
                        </div>                     
                    </div>  
        </div>
                                <div style="border-top: 1px solid #999; padding-top:20px"  class="form-group">                                    
                                </div>
                            </form>
                         </div>
                    </div>
         </div> 
    </div>
    </body>
    </html>

2 个答案:

答案 0 :(得分:2)

检查密码

$query = "SELECT `username` AND `password` FROM `users` WHERE `username` = '$user' and password = '$password'";

但我建议密码存储为加密字符串(请阅读下面的评论)。

所以你这样做

$password = function_that_encrypts($password);
$query = "SELECT `username` AND `password` FROM `users` WHERE `username` = '$user' and password = '$password'";

使用prepared statementsPDO with prepared statements他们更安全


  • MD5已经老了,被认为已经坏了。

我建议您使用CRYPT_BLOWFISH或PHP 5.5&#39 {s} password_hash()功能 对于PHP&lt; 5.5使用password_hash() compatibility pack

答案 1 :(得分:0)

您使用的查询仅根据用户名进行选择。您还需要通过将密码添加到WHERE子句来检查密码。

根据您所拥有的内容,您需要执行以下操作:

$user = $conn->real_escape_string(htmlspecialchars(trim($_POST['username'])));
$pass = $conn->real_escape_string(htmlspecialchars(trim($_POST['password'])));
$query = "SELECT `username` AND `password` FROM `users` WHERE `username` = '$user' AND `password` = '$pass'";

显然,您需要在存储密码之前对密码运行任何进程。我希望你没有以纯文本形式存储密码。