mysqli查询返回0结果尽管MySQL数据库中的信息

时间:2015-07-23 23:32:07

标签: php mysql mysqli

我正在制作登录屏幕,因此一旦设置了会话,一个人就可以访问我网站上的各个页面。

然而,似乎当我发送用户名和密码与我在MySQL数据库中进行比较时,结果会变回空白。

MySQL表:

Id, Username, Password, Email, group
1,  bunbun, hashedpassword, example@email.com, admin

PHP代码:

<?php
include_once("functions/con-open.php");

if (isset($_POST['username']))
{
    $name = $_POST['username'];

    //$password = password_hash($_POST['password'], PASSWORD_BCRYPT);
    $password = $_POST['password'];
    $name = mysql_real_escape_string($name);
    $password = mysql_real_escape_string($password);
}

function LOGIN($Name, $Password)
{
    $conn = new mysqli(HOST,USER,PASSWORD,DATABASE);

    if ($conn->connect_errno) 
    {
        printf("Connect failed: %s\n", $conn->connect_error);
        exit();
    }   

    if ($result = $conn->query("SELECT * FROM persons WHERE Username='$Name'", MYSQLI_USE_RESULT))
    {
        printf("Select returned %d rows.\n", $result->num_rows);
        echo "<br>Name  Dump<br>";
        var_dump($Name);
        echo "<br>Password  Dump <br>"; 
        var_dump($Password);
        echo "<br>";
        echo "<br>";
        var_dump( $result);
        $result->close();
    }
    else
    {
        echo"no details returned <br>";
        var_dump( $result);
        $result->close();
    }
}
?>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Login</title>
<link type="text/css" href="css.css" rel="stylesheet" />
</head>

<body>


<form action="login.php" method="post" name="login-form">
Email: <input type="text" name="username" /><br>
Password: <input type="password" name="password"/>
<input type="submit" value="Login"/>
</form>

<?php

if ($_SERVER['REQUEST_METHOD'] == 'POST') 
{
    LOGIN($NAME, $PASSWORD); 
}

?>

</body>
</html>

结果是

    Select returned 0 rows.
This is what I have typed in username field: 
This is what I have typed in password field:
Name from DB:
Password from DB:

object(mysqli_result)#2 (5) { ["current_field"]=> int(0) ["field_count"]=> int(5) ["lengths"]=> NULL ["num_rows"]=> int(0) ["type"]=> int(0) }

我出错的任何想法?
我的哈希的列是Vchar(255)我从一开始就给它足够的空间。

更新!这可能更严重,我已经改变了上面的代码,以反映maytham的优秀答案。但它仍然返回0结果
我冒昧地在循环中添加if (isset($_POST['username']))

echo "This is what the value name is: ".$name."<br>";

就在我调用LOGIN($ name,password)之前;看看是否设置了$ name,它是 但是在调用的函数和在sql查询中使用的$ Name之间,值为空。不知道为什么会这样我将不得不调试我的php安装,看看是否有任何错误。

2 个答案:

答案 0 :(得分:2)

以下是我观察到并为您解决的问题。

按照步骤进行操作:

步骤A

if ($result = $conn->query("SELECT * FROM persons WHERE Username='$Name'", MYSQLI_USE_RESULT))

if ($result = $conn->query("SELECT * FROM persons WHERE Username = '$Name'"))

步骤B

问题中提供的代码,函数LOGIN需要以}

结尾
function LOGIN($Name, $Password)

步骤C(可选)

当我测试时,我已将密码更改为纯文本,以确保每件事都有效,但这取决于您。

$password = $_POST['password'];

步骤D

在代码的开头,我将放置if statement

if (isset($_POST['username']))
{
    $name = $_POST['username'];
    // disable for testing
    //$password = password_hash($_POST['password'], PASSWORD_BCRYPT);
    $password = $_POST['password'];
}

步骤E(可选)

我建议您将所有变量(例如$USERNAME)更改为$username

步骤F

尝试通过添加mysql_real_escape_string来保护您的输入免受SQL注入:

$name = mysql_real_escape_string($name);
$password = mysql_real_escape_string($password);
  • 感谢用户@ibu注意到

<强>最后 以下是我修改的完整可行代码:

<?php
if (isset($_POST['username']))
{
    $name = $_POST['username'];
    //$password = password_hash($_POST['password'], PASSWORD_BCRYPT);
    $password = $_POST['password'];
    $name = mysql_real_escape_string($name);
    $password = mysql_real_escape_string($password);
}
function LOGIN($Name, $Password)
{
    $conn = new mysqli("localhost", "root", "", "test");

    if ($conn->connect_errno)
    {
        echo "Failed to connect to MySQL: (" . $conn->connect_errno . ") " . $conn->connect_error;
    }

    if ($result = $conn->query("SELECT * FROM persons WHERE Username = '$Name'"))
    {
        $row = $result->fetch_assoc();
        printf("Select returned %d rows.\n", $result->num_rows);
        echo "<br />";
        echo "This is what I have typed in username field: " . $Name;
        echo "<br />";
        echo "<b>Name from DB: </b>" . $row['Username'] . "<br />";
        echo "<b>Password from DB: </b>" . $row['Password'] . "<br />";
        echo "<br />";
        var_dump($result);
        $result->close();
    } else
    {
        echo "no details returned <br>";
        var_dump($result);
        $result->close();
    }
}

?>
<!DOCTYPE html>
<html>
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
    <title>Login</title>
    <link type="text/css" href="css.css" rel="stylesheet"/>
</head>

<body>

<form action="login.php" method="post" name="login-form">
    Email: <input type="text" name="username"/><br>
    Password: <input type="password" name="password"/>
    <input type="submit" value="Login"/>
</form>

<?php

if ($_SERVER['REQUEST_METHOD'] == 'POST')
{
    LOGIN($name, $password);
}

?>

</body>
</html>

以下是我的屏幕测试结果: enter image description here

注意:当提到所有这些时,这并不意味着代码或所呈现的内容是一个好的或完美的解决方案。在构建登录机制时,您需要考虑很多事情。代码也容易受到您需要的SQL注入的影响,并且必须做很多工作。我鼓励你看看:

Link1:http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL

Link2:https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Link3:http://php.net/manual/en/mysqli.quickstart.statements.php

答案 1 :(得分:0)

您已编辑数据或需要trim()用于隐藏字符。

string(13)“bunbun”

长度不是13个字符

没有理由认为查询应该像它一样转储。

正如其他人所说。请注意SQL注入是否也