不验证用户PHP MySQL

时间:2016-05-30 09:12:56

标签: php mysql

我试图弄清楚为什么此代码不对用户进行身份验证,用户名和密码的错误组合会为用户提供访问权限。我哪里错了?我还是个新手,有什么帮助吗?另外,关于如何加密密码,MD5,SHA等的建议最好?

<form class="login-form" action="login.php" method="post">
    <input type="text" placeholder="username" name="username"/>
    <input type="password" placeholder="password" name="password"/>
    <button type="submit" name="login" value="login">login</button>
    <p class="message">Not registered? <a href="#">Create anaccount</a></p>
</form>


if (isset($_POST['login'])) {
    include_once("db.php");
    $username = stripslashes($username);
    $password = stripslashes($password);
    $sql = "SELECT * FROM users WHERE username='$username' LIMIT 1";
    $query = mysql_query($sql);
    $row = mysql_fetch_array($query);
    $id = ['id'];
    $db_password = $row['password'];
    if ($password == $password) {
        $_SESSION['username'] = $username;
        $_SESSION['id'] = $id;
        header("Location: index.php");
    } else {
        echo "You have entered invalid credentials.";
    }
}

1 个答案:

答案 0 :(得分:2)

1st:您正在比较相同的值,这将始终为 true 

if ($password == $password) {

将其更改为db值:

if ($db_password == $password) {

第二:什么是?

$id = ['id'];

你可能意味着:

$id = $row['id'];

3rd: 停止使用mysql_ *函数,它们已被弃用且不安全。切换到PDO或mysqli _ *!

相关问题
最新问题