我已经尝试了几个小时的答案,但这里没有任何答案似乎有帮助。
当我运行代码时,我在第8行($db_select)得到以下错误:
警告:mysqli_select_db()期望参数1为mysqli,string 在
中给出警告:mysqli_error()需要1个参数,0在
中给出
有人可以告诉我这段代码有什么问题:
<?php
$servername = "localhost";
$username = "my username";
$password = "my password";
$dbname = "my database";
$tablename ="users";
$connection = mysqli_connect($servername, $username, $password) or die (mysqli_error());
$db_select = mysqli_select_db($tablename, $connection) or die (mysqli_error());
$email = $_POST['email'];
$password = $_POST['password'];
$result = mysqli_query($connection, "SELECT * FROM $tablename WHERE email='$email' and password='$password'");
$count = mysqli_num_rows($result);
if($count==1)
{
session_register("email");
session_register("password");
header("location:loginsuccess.php");
}
else
{
echo "Wrong email or password";
}
?>
答案 0 :(得分:0)
请在代码中进行此更改:
替换:
$connection = mysqli_connect($servername, $username, $password) or die (mysqli_error());
$db_select = mysqli_select_db($tablename, $connection) or die (mysqli_error());
使用:
$connection = mysqli_connect($servername, $username, $password, $tablename) or die (mysqli_error());
在每个查询命令中使用$ connection作为连接参数。
答案 1 :(得分:0)
到目前为止,这些答案都没有注意到您的代码非常不安全,因为您没有以任何方式清理您的输入。如果您只是将用户输入传递到结果中并且旧的bobby tables可以轻松攻击,则SQL Inject非常简单。
了解使用PDO。它非常好并且支持prepared statements。
答案 2 :(得分:-2)
代码可能对您有所帮助:
<?php
$servername = "localhost";
$username = "my username";
$password = "my password";
$dbname = "my database";
$tablename ="users";
$connection = mysqli_connect($servername, $username, $password, $dbname) or die (mysqli_error());
$email = $_POST['email'];
$password = $_POST['password'];
$stmt = $connection->prepare("SELECT * FROM $tablename WHERE email='?' and password='?'");
$stmt->bind_param("ss", $_POST['email'], $_POST['password']);
$stmt->execute();
$count = $stmt->num_rows;
if($count==1)
{
session_register("email");
session_register("password");
header("location:loginsuccess.php");
}
else
{
echo "Wrong email or password";
}