我试图弄清楚为什么此代码不对用户进行身份验证,用户名和密码的错误组合会为用户提供访问权限。我哪里错了?我还是个新手,有什么帮助吗?另外,关于如何加密密码,MD5,SHA等的建议最好?
<form class="login-form" action="login.php" method="post">
<input type="text" placeholder="username" name="username"/>
<input type="password" placeholder="password" name="password"/>
<button type="submit" name="login" value="login">login</button>
<p class="message">Not registered? <a href="#">Create anaccount</a></p>
</form>
if (isset($_POST['login'])) {
include_once("db.php");
$username = stripslashes($username);
$password = stripslashes($password);
$sql = "SELECT * FROM users WHERE username='$username' LIMIT 1";
$query = mysql_query($sql);
$row = mysql_fetch_array($query);
$id = ['id'];
$db_password = $row['password'];
if ($password == $password) {
$_SESSION['username'] = $username;
$_SESSION['id'] = $id;
header("Location: index.php");
} else {
echo "You have entered invalid credentials.";
}
}
答案 0 :(得分:2)
1st:您正在比较相同的值,这将始终为 true 。
if ($password == $password) {
将其更改为db值:
if ($db_password == $password) {
第二:什么是?
$id = ['id'];
你可能意味着:
$id = $row['id'];
3rd: 停止使用mysql_ *函数,它们已被弃用且不安全。切换到PDO或mysqli _ *!