我正在制作登录屏幕,因此一旦设置了会话,一个人就可以访问我网站上的各个页面。
然而,似乎当我发送用户名和密码与我在MySQL数据库中进行比较时,结果会变回空白。
MySQL表:
Id, Username, Password, Email, group
1, bunbun, hashedpassword, example@email.com, admin
PHP代码:
<?php
include_once("functions/con-open.php");
if (isset($_POST['username']))
{
$name = $_POST['username'];
//$password = password_hash($_POST['password'], PASSWORD_BCRYPT);
$password = $_POST['password'];
$name = mysql_real_escape_string($name);
$password = mysql_real_escape_string($password);
}
function LOGIN($Name, $Password)
{
$conn = new mysqli(HOST,USER,PASSWORD,DATABASE);
if ($conn->connect_errno)
{
printf("Connect failed: %s\n", $conn->connect_error);
exit();
}
if ($result = $conn->query("SELECT * FROM persons WHERE Username='$Name'", MYSQLI_USE_RESULT))
{
printf("Select returned %d rows.\n", $result->num_rows);
echo "<br>Name Dump<br>";
var_dump($Name);
echo "<br>Password Dump <br>";
var_dump($Password);
echo "<br>";
echo "<br>";
var_dump( $result);
$result->close();
}
else
{
echo"no details returned <br>";
var_dump( $result);
$result->close();
}
}
?>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Login</title>
<link type="text/css" href="css.css" rel="stylesheet" />
</head>
<body>
<form action="login.php" method="post" name="login-form">
Email: <input type="text" name="username" /><br>
Password: <input type="password" name="password"/>
<input type="submit" value="Login"/>
</form>
<?php
if ($_SERVER['REQUEST_METHOD'] == 'POST')
{
LOGIN($NAME, $PASSWORD);
}
?>
</body>
</html>
结果是
Select returned 0 rows.
This is what I have typed in username field:
This is what I have typed in password field:
Name from DB:
Password from DB:
object(mysqli_result)#2 (5) { ["current_field"]=> int(0) ["field_count"]=> int(5) ["lengths"]=> NULL ["num_rows"]=> int(0) ["type"]=> int(0) }
我出错的任何想法?
我的哈希的列是Vchar(255)我从一开始就给它足够的空间。
更新!这可能更严重,我已经改变了上面的代码,以反映maytham的优秀答案。但它仍然返回0结果
我冒昧地在循环中添加if (isset($_POST['username']))
echo "This is what the value name is: ".$name."<br>";
就在我调用LOGIN($ name,password)之前;看看是否设置了$ name,它是 但是在调用的函数和在sql查询中使用的$ Name之间,值为空。不知道为什么会这样我将不得不调试我的php安装,看看是否有任何错误。
答案 0 :(得分:2)
以下是我观察到并为您解决的问题。
按照步骤进行操作:
步骤A
if ($result = $conn->query("SELECT * FROM persons WHERE Username='$Name'", MYSQLI_USE_RESULT))
要
if ($result = $conn->query("SELECT * FROM persons WHERE Username = '$Name'"))
步骤B
问题中提供的代码,函数LOGIN需要以}
function LOGIN($Name, $Password)
步骤C(可选)
当我测试时,我已将密码更改为纯文本,以确保每件事都有效,但这取决于您。
$password = $_POST['password'];
步骤D
在代码的开头,我将放置if statement
if (isset($_POST['username']))
{
$name = $_POST['username'];
// disable for testing
//$password = password_hash($_POST['password'], PASSWORD_BCRYPT);
$password = $_POST['password'];
}
步骤E(可选)
我建议您将所有变量(例如$USERNAME
)更改为$username
步骤F
尝试通过添加mysql_real_escape_string
来保护您的输入免受SQL注入:
$name = mysql_real_escape_string($name);
$password = mysql_real_escape_string($password);
<强>最后强> 以下是我修改的完整可行代码:
<?php
if (isset($_POST['username']))
{
$name = $_POST['username'];
//$password = password_hash($_POST['password'], PASSWORD_BCRYPT);
$password = $_POST['password'];
$name = mysql_real_escape_string($name);
$password = mysql_real_escape_string($password);
}
function LOGIN($Name, $Password)
{
$conn = new mysqli("localhost", "root", "", "test");
if ($conn->connect_errno)
{
echo "Failed to connect to MySQL: (" . $conn->connect_errno . ") " . $conn->connect_error;
}
if ($result = $conn->query("SELECT * FROM persons WHERE Username = '$Name'"))
{
$row = $result->fetch_assoc();
printf("Select returned %d rows.\n", $result->num_rows);
echo "<br />";
echo "This is what I have typed in username field: " . $Name;
echo "<br />";
echo "<b>Name from DB: </b>" . $row['Username'] . "<br />";
echo "<b>Password from DB: </b>" . $row['Password'] . "<br />";
echo "<br />";
var_dump($result);
$result->close();
} else
{
echo "no details returned <br>";
var_dump($result);
$result->close();
}
}
?>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>Login</title>
<link type="text/css" href="css.css" rel="stylesheet"/>
</head>
<body>
<form action="login.php" method="post" name="login-form">
Email: <input type="text" name="username"/><br>
Password: <input type="password" name="password"/>
<input type="submit" value="Login"/>
</form>
<?php
if ($_SERVER['REQUEST_METHOD'] == 'POST')
{
LOGIN($name, $password);
}
?>
</body>
</html>
注意:当提到所有这些时,这并不意味着代码或所呈现的内容是一个好的或完美的解决方案。在构建登录机制时,您需要考虑很多事情。代码也容易受到您需要的SQL注入的影响,并且必须做很多工作。我鼓励你看看:
Link1:http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL
Link2:https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Link3:http://php.net/manual/en/mysqli.quickstart.statements.php
答案 1 :(得分:0)
您已编辑数据或需要trim()用于隐藏字符。
string(13)“bunbun”
长度不是13个字符
没有理由认为查询应该像它一样转储。
正如其他人所说。请注意SQL注入是否也