Question

我正在创建一个连接到我的数据库的登录表单（通过localhost，mysql，phpmyadmin）。在登录方面我遇到了问题。

当我登录时询问我的用户名和密码，如果我在数据库中提供用户名和任何随机密码 - 它仍会让我登录。但是，如果我输入任何随机用户名，则不会。

我已经在网上看过，通过我的PHP和我挣扎！（我已经看了好几个小时了，我会睁大眼睛。

感谢任何帮助。感谢。

这是我的login.php代码：

<?php

if ($username && $userid){
    echo "You are already logged in as <b>$username</b>. <a href='admin.php'> Click here </a>";
} else {
    $form= "<form action='login.php' method='POST'>
                <table>
                    <tr>
                        <td> Username: </td>
                        <td><input type='text' name='user' /></td>
                    </tr>
                    <tr>
                        <td> Password: </td>
                        <td><input type='password' name='password' /></td>
                    </tr>
                    <tr>
                        <td>  </td>
                        <td><input type='submit' name='loginbtn' value='login' /></td>
                    </tr>
                </table>
            </form>";

if ($_POST['loginbtn']) {       
    $user= $_POST['user'];
    $password = $_POST['password'];

    if ($user) { 
        if ($password) {
            require ("connect.php");

            $password= ('password');

            echo "$password";
            $query = mysql_query("SELECT * FROM users WHERE username='$user'");
            $numrows = mysql_num_rows($query);

            if ($numrows ==1) {
                $row= mysql_fetch_assoc($query);        
                $dbid = $row['id'];
                $dbuser = $row['username'];
                $dbpass = $row['password'];         
                $dbactive = $row['active'];

                if ($password == $dbpass) {
                    if ($dbactive == 1) {
                        $_SESSION['userid']= $dbid;
                        $_SESSION['username'] = $dbuser;

                        echo "You have been logged in as <i> $dbuser </i>. Click <a href='admin.php'> here </a> to go to the members page.";

                    } else {
                        echo "You must activate your account to login. $form";
                    }
                } else {
                    echo "You did not enter the correct password. $form";
                }
            } else {    
                echo "the username you entered was not found. $form";
            }

            mysql_close();
        } else {
            echo "You must enter your password. $form";
        }
    } else {
        echo "You must enter your username. $form";
    }
} else {    
    echo $form;         
}

?>

Answer 1

问题是，您可以在密码字段中写入任何内容，稍后，使用此代码对您进行硬编码：

$password = ('password');

因此，如果您的实际密码为password，那么您在该字段中写入的内容并不重要。

注意

不要使用mysql_ *函数，因为它们已被弃用。请改用mysqli或PDO。
让我们从外部转义变量，或者使用预处理语句来避免sql注入。

Answer 2

一些注意事项：

if ($_POST['loginbtn']) => if (isset($_POST['loginbtn'])) //You should really do this to other $_POST variables as well.

$user= $_POST['user']; // Sanitize this or use prepared statements.
$password = $_POST['password']; // Encrypt this!

mysql_query("SELECT * FROM users WHERE username='$user'"); // 1. Don't use mysql_, use mysqli_. 2. Using the asterisk (*) is bad practice, you should also attach a LIMIT 1

$password= ('password'); // What are you doing this for? You are changing the value of the $password variable and that's why it's always 'password'.

echo $form; // If you are echoing it once, why store it as a variable?

要直接解决您的问题，请移除$password= ('password');。

PHP登录表单适用于任何密码，但不适用于用户名？

2 个答案: