我正在尝试制作我的第一个登录系统。出于某种原因,当我尝试从我的数据库中获取密码时,它没有给出值?我不确定我做错了什么。错误介于$ sql和$ db_password之间。
@LFlare我不确定DESC用户是什么东西。这是桌子的图片,我不确定你想要它。 http://i.imgur.com/WkZV7IZ.png
谢谢!
<?php
session_start();
if (isset($_POST['login'])) {
include_once("db.php");
$username = strip_tags($_POST['username']);
$password = strip_tags($_POST['password']);
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysqli_real_escape_string($db, $username);
$password = mysqli_real_escape_string($db, $password);
$password = md5($password);
$sql = "SELECT * FROM users WHERE username = '$username' LIMIT 1";
$query = mysqli_query($db, $sql);
$row = mysqli_fetch_array($query);
$id = $row['id'];
$db_password = $row['password'];
//echo "Password: $password";
//echo "DB Password: $db_password";
if ($password == $db_password) {
$_SESSION['username'] = $username;
$_SESSION['id'] = $id;
header("Location: index.php");
} else {
echo "You didn't enter the correct details!";
}
}
?>
<!DOCTYPE html>
<html>
<head>
<title>Login</title>
</head>
<body>
<h1>Login</h1>
<form action="login.php" method="post" enctype="multipart/form-data">
<input placeholder="Username" name="username" type="text" autofocus>
<input placeholder="Password" name="password" type="password">
<input name="login" type="submit" value="Login">
</form>
</body>
</html>
答案 0 :(得分:1)
<?php
session_start();
if (isset($_POST['username']) && isset($_POST['password'])) {
include_once("db.php");
$username = mysqli_real_escape_string($sqlcon, $_POST['username']);
$password = mysqli_real_escape_string($sqlcon, $_POST['password']);
// If you want to make sure username is alphanumeric, you can do
// $username = preg_replace('/[^a-zA-Z0-9]/', '', mysqli_real_escape_string($sqlcon, $_POST['username']));
// Do not use these, mysqli_real_escape_string is enough to prevent injection attacks. Furthermore, you may be compromising user security by remove special characters in passwords.
// $username = strip_tags($_POST['username']);
// $password = strip_tags($_POST['password']);
// $username = stripslashes($username);
// $password = stripslashes($password);
// $password = md5($password); This is very susceptibile to rainbow table attacks, do something like a loop
for ($i = 0; $i < 1000; $i ++) {
$password = md5($password . $username); // Looping the md5 a thousand times and salting it with the username is good practice too.U
}
$userQuery = "SELECT * FROM users WHERE username = '" . $username . "' LIMIT 1";
$user = mysqli_query($sqlcon, $userQuery);
if (mysqli_num_rows($user) > 0) { // If user exists,
$user = mysqli_fetch_assoc($user); // mysqli_fetch_arrays put values into $user[0], $user[1], etc.
$id = $user['id'];
$databasepass = $user['password'];
if ($password === $databasepass) {
$_SESSION['username'] = $username;
$_SESSION['id'] = $id;
header("Location: index.php");
} else {
echo "Password is incorrect";
}
} else {
echo "Username does not exist";
}
} else {
echo "Username or Password not filled in";
}
echo $password;
?>
<!DOCTYPE html>
<html>
<head>
<title>Login</title>
</head>
<body>
<h1>Login</h1>
<form action="login.php" method="post" enctype="multipart/form-data">
<input placeholder="Username" name="username" type="text" autofocus>
<input placeholder="Password" name="password" type="password">
<input name="login" type="submit" value="Login">
</form>
</body>
</html>
<?php
$host = "localhost";
$user = "root";
$pass = "";
$database = "users";
$sqlcon = mysqli_connect($host, $user, $pass, $database);
if (mysqli_connect_errno()) {
die ("MySQL Database Connection Error");
}
?>
答案 1 :(得分:0)
你在mysqli_query中有$ db和$ sql。
$query = mysqli_query($sql, $db);
http://php.net/manual/en/function.mysql-query.php
另外,请尝试避免使用md5,并使用PHP的password_hash,http://php.net/manual/en/function.password-hash.php。
目前,如果数据库被利用,它很容易受到彩虹表攻击。