您好我是PHP的新手,我正在尝试为用户创建一个简单的登录和注册功能。一旦用户注册,他的详细信息将被添加到数据库中,以便他可以登录。但现在即使他的用户名和& pw是正确的,它不登录。
这是我的代码:
<?php
if(!empty($_POST['username']) && !empty($_POST['password']))
{
$username = mysql_real_escape_string($_POST['username']);
$password = md5(mysql_real_escape_string($_POST['password']));
$checklogin = mysql_query("SELECT * FROM admin WHERE Username = '".$username."' AND Password = '".$password."'");
if(mysql_num_rows($checklogin) == 1)
{
$row = mysql_fetch_array($checklogin);
$email = $row['Email_Address'];
$_SESSION['Username'] = $username;
$_SESSION['Email_Address'] = $email;
$_SESSION['LoggedIn'] = 1;
echo "<h1>Success</h1>";
echo "<p>We are now redirecting you to the member area.</p>";
echo "<meta http-equiv='refresh' content='=2;index2.php' />";
header("Location: Home.php");
}
else
{
echo "<h1>Error {$password}</h1>";
echo "<p>Sorry, your account could not be found. Please <a href=\"index2.php\">click here to try again</a>.</p>";
}
}
else
{?>
<h1>Member Login</h1>
<p>Please either login below, or <a href="register2.php">click here to register</a>.</p>
<form method="post" action="index2.php" name="loginform" id="loginform">
<fieldset>
<label for="username">Username:</label><input type="text" name="username" id="username" /><br />
<label for="password">Password:</label><input type="password" name="password" id="password" /><br />
<input type="submit" name="login" id="login" value="Login" />
</fieldset>
</form>
<?php }?>
感谢任何帮助
答案 0 :(得分:0)
正如评论中所指出的,你真的应该使用mysqli或PDO~ mysql扩展现在已被弃用,并且在针对可怕的sql injection攻击的安全性方面提供的很少。以下代码使用mysqli,并且已使用纯文本密码(如当前显示)和md5哈希版本进行测试。
如果您的数据库以预先哈希的md5格式存储用户密码,请设置$prehashed=true
<?php
session_start();
$errors=array();
$prehashed=false;
if( $_SERVER['REQUEST_METHOD']=='POST' && isset( $_POST['username'], $_POST['password'] ) ){
/* Your db connection settings: change as appropriate */
$host = 'localhost';
$uname = 'xxx';
$pwd = 'xxx';
$db = 'xxx';
/* create mysqli object */
$conn = new mysqli( $host, $uname, $pwd, $db );
/* Create and prepare the sql */
$sql = 'select `username`,`email` from `admin` where `username`=? and `password`=?';
$stmt = $conn->prepare( $sql );
/* Bind the placeholders to the desired fields */
$stmt->bind_param( 'ss', $username, $password );
/* Populate the variables with POST data - with some minor filtering */
$username = trim( strip_tags( filter_input( INPUT_POST, 'username', FILTER_SANITIZE_STRING ) ) );
$password = trim( strip_tags( filter_input( INPUT_POST, 'password', FILTER_SANITIZE_STRING ) ) );
/* Pre-hased MD5 password? */
if( $prehashed ) $password = md5( $password );
/* Execute the query */
$result = $stmt->execute();
$stmt->bind_result( $user, $email );
/* If there is a match, set session vars and redirect */
if( $result ){
/* Get the records */
$stmt->fetch();
/* success? */
if( isset( $user, $email ) ){
$_SESSION['Username'] = $user;
$_SESSION['Email_Address'] = $email;
$_SESSION['LoggedIn'] = 1;
$conn->close();
header( 'location: home.php?username='.$user.'&email='.$email );
} else {
$conn->close();
$errors[]='<h1>Error</h1>';
$errors[]='<p>Sorry, your account could not be found. Please try again.</p>';
}
} else {
/* There was some sort of error, display results below form */
$conn->close();
$errors[]='<h1>Error</h1>';
$errors[]='<p>Sorry, your account could not be found. Please try again.</p>';
}
}
?>
<!doctype html>
<html>
<head>
<title>Member login</title>
<style>
form{
width:50%;
float:none;
margin:1rem auto;
}
label{
display:block;
width:80%;
float:none;
clear:both;
margin:1rem auto;
box-sizing:content-box;
padding:1rem;
}
label:before{
display:inline-block;
clear:none;
float:left;
width:20%;
content:attr(for)": ";
}
label > input{
clear:none;
float:left;
display:block;
}
</style>
</head>
<body>
<form method="post" name="loginform" enctype='application/x-www-form-urlencoded'>
<h1>Member Login</h1>
<p>Please either login below, or <a href="register2.php">click here to register</a>.</p>
<fieldset>
<label for="Username"><input type="text" name="username" id="username" /></label>
<label for="Password"><input type="password" name="password" id="password" /></label>
<input type="submit" name="login" id="login" value="Login" />
</fieldset>
<?php
if( $_SERVER['REQUEST_METHOD']=='POST' && isset( $_POST['username'], $_POST['password'] ) ){
if( !empty( $errors ) ) echo implode( PHP_EOL, $errors );
}
?>
</form>
</body>
</html>