Question

我有这组登录代码。当我输入正确的密码时，我将能够进入网页。但我不确定为什么，当我输入错误的密码时，我仍然可以进入网页。

我不确定错误在哪里。

这是我的PHP代码：

<?php

//define page title
$title = 'Sign In';

session_start();
include_once 'dbconnect.php';


if(isset($_SESSION['user'])!="")
{
 header("Location: home.php");
}
if(isset($_POST['btn-login']))
{

  $UserEmail = isset($_GET['UserEmail']) ? $_GET['UserEmail'] : '';

  $Password = isset($_GET['Password']) ? $_GET['Password'] : '';


 $result=mysql_query("SELECT * FROM tbl_user WHERE UserEmail='$UserEmail'");
 $row=mysql_fetch_array($res);
 if($row['Password']=md5($Password))
 {
  $_SESSION['user'] = $row['Password'];
  header("Location: home.php");
 }
 else
 {
  ?>
        <script>alert('wrong details');</script>
     <?php
     }

    }
    ?>

Answer 1

您没有检查用户密码，这就是为什么它允许您访问包含错误凭据的页面。

试试这个，

<?php

//define page title
$title = 'Sign In';

session_start();
include_once 'dbconnect.php';


if(isset($_SESSION['user'])!="")
{
 header("Location: home.php");
}
if(isset($_POST['btn-login']))
{

  $UserEmail = isset($_GET['UserEmail']) ? $_GET['UserEmail'] : '';

  $Password = isset($_GET['Password']) ? $_GET['Password'] : '';


 $result=mysql_query("SELECT * FROM tbl_user WHERE UserEmail='$UserEmail' and password='$Password'");
 $row=mysql_fetch_array($res);
 if($row['Password']=md5($Password))
 {
  $_SESSION['user'] = $row['Password'];
  header("Location: home.php");
 }
 else
 {
  ?>
        <script>alert('wrong details');</script>
     <?php
     }

    }
    ?>

Answer 2

您正在发布表单，然后您会在$_POST而不是$_GET中获取变量。

$UserEmail = isset($_POST['UserEmail']) ? $_POST['UserEmail'] : '';

$Password = isset($_POST['Password']) ? $_POST['Password'] : '';

Answer 3

用以下内容替换您的查询：

<?php
//define page title
$title = 'Sign In';
session_start();
include_once 'dbconnect.php';

if (isset($_SESSION['user']) != "") {
    header("Location: home.php");
}
if (isset($_POST['btn-login'])) {
    $UserEmail = isset($_GET['UserEmail']) ? $_GET['UserEmail'] : '';
    $Password = isset($_GET['Password']) ? $_GET['Password'] : '';
    $result = mysql_query("SELECT * FROM tbl_user WHERE UserEmail='$UserEmail' AND Password='" . md5($Password) . "'");
    $row = mysql_fetch_array($result);
    if (count($row) > 0) {
        $_SESSION['user'] = $row['Password'];
        header("Location: home.php");
    } else {
        ?>
        <script>alert('wrong details');</script>
        <?php
    }
}
?>

Answer 4

我注意到的第一件事就是

if($row['Password']=md5($Password))

使用＆＃39; ==＆＃39; （双等）用于等式检查。单一等于分配

if($row['Password']==md5($Password))

Answer 5

if(isset($_SESSION['user'])!="")

那个人也是无意义的。我几乎可以肯定它会永远过去因为＆＃34; false＆＃34;！=＆＃34;＆＃34;

所以将其改为

if(isset($_SESSION['user']) && !empty($_SESSION['user']))

登录php无法正常工作

5 个答案: