使用PHP

时间:2015-07-13 15:29:49

标签: php mysql html5

我有一个包含以下列的MySql数据库:

enter image description here

和HTML表单如下:

                           <form method="post" action="validate.php">
                               <label for="users_email">Email:</label>
                               <input type="text" id="users_email" name="users_email">
                               <label for="users_pass">Password:</label>
                               <input type="password" id="users_pass" name="users_pass">
                               <input type="submit" value="Submit"/>
                           </form>

这是validate.php页面中的代码片段:

$email = $_POST['users_email'];
$pass = $_POST['users_pass'];

$dbhost = '************';
$dbuser = '************';
$dbpass = '************';
$conn = mysql_connect($dbhost, $dbuser, $dbpass);
if(! $conn)
{
    die('Could not connect: '. mysql_error());
}

mysql_select_db("SafeDropbox", $conn);

$result = mysql_query("SELECT Email, UserPassword FROM tblnewusers WHERE Email = $email");

$row = mysql_fetch_array($result);

if($row['Email'] == $email && $row['UserPassword'] == $pass) {
    echo "Valid";   
}

elseif($row.count() == 0) {
    echo "No Match";
}

else {
    echo "Invalid";
 //header("Location: http://www.google.ie");
    //exit();
}

问题是即使$ email和$ pass的值肯定在我的数据库中,我也没有匹配。我做错了什么?

1 个答案:

答案 0 :(得分:1)

问题在于:

Configuration

$ email应该被转义并被引号括起来。最安全的解决方案是使用准备好的声明:

$result = mysql_query("SELECT Email, UserPassword FROM tblnewusers WHERE Email = $email");

有关详细信息,请参阅http://php.net/manual/en/mysqli.quickstart.prepared-statements.php

相关问题
最新问题