如何从数据库中使用php进行多次验证登录

时间:2016-07-14 05:16:05

标签: php mysql

我想在查询中使用验证登录,例如

"select account from login where account='active'"

检查状态active然后他/她将能够登录系统。我正在尝试使用下面提到的代码,但它不起作用.....请帮助我!

//login.php
<?php
session_start(); // Starting Session
$error=''; // Variable To Store Error Message
if (isset($_POST['sbm'])) {
if (empty($_POST['email']) || empty($_POST['password'])) {
$error = "Username or Password is invalid";
}
else
{
// Define $username and $password
$username=$_POST['email'];
$password=$_POST['password'];
// Establishing Connection with Server by passing server_name, user_id and password as a parameter
$connection = mysql_connect("localhost", "root", "");
// To protect MySQL injection for Security purpose
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
// Selecting Database
$db = mysql_select_db("company", $connection);
$valid=mysql_query("select account from login where account='active'",$connection);
$acc=mysql_fetch_assoc($valid);
echo $acc['account'];
if($valid==1){
// SQL query to fetch information of registerd users and finds user match.
$query = mysql_query("select * from login where password='$password' AND email='$username'", $connection);
$rows = mysql_num_rows($query);
if ($rows == 1) {
$_SESSION['login_user']=$username; // Initializing Session
header("location: profile.php"); // Redirecting To Other Page
} else {
$error = "Username or Password is invalid";
}
mysql_close($connection); // Closing Connection
}
}
}
?>

3 个答案:

答案 0 :(得分:1)

此查询

select account from login where account='active'

将返回所有有效帐户。您只对当前用户的帐户是否处于活动状态感兴趣,因此您应该将结果限制为该用户

//guarantees that user will not be logged in until all checks are passed
unset($_SESSION['login_user']);    
$success = false; //set to true once all checks are passed
$sql = "SELECT * from login WHERE email='$email'";
$result = mysql_query($sql,$connection);
if($result===false){ //DB error. Probably a bad query or wrong DB credentials
    // user should not see the exact error, but you can get it from mysql_error()
    $error = "Server error: contact the admin";
}
elseif(mysql_num_rows($result)===0){//no account found
    $error = "The email $email is unknown";
}
else{// The account exists; you can run further checks  
    $account_row = mysql_fetch_assoc($result);

    if($account_row['account']!== 'active'){
        $error = "Account $email is not active";
    }
    elseif($account_row['password']!==$password){
        $error = "Password is incorrect"
    }
    else{
        $success = true; //all checks passed
    }
}
 mysql_close($connection);

现在你完成了检查。根据登录是否成功决定做什么

if($success){
     $_SESSION['login_user']=$username;
     header("location: profile.php");
}else{
    //login failed. Error is in $error        
}

3最后的笔记:

  1. 您不应使用mysql_个功能。它们已被弃用。学习MySQLi或PDO

  2. 您的密码未经过哈希处理。您不应该以明文形式存储密码! See this guide

  3. 虽然我在错误消息中将“未知电子邮件”与“错误密码”分开,但您不应该告诉用户区分。如果错误是这两个错误之一,请说“错误的用户名或密码”。

答案 1 :(得分:0)

mysql_query()在成功时返回资源,或在出错时返回FALSE。

您无法检查$ 1的有效值。

您可以通过if(count($ valid)&gt; 0)

进行检查

单个查询

$query = mysql_query("select * from login where password='$password' AND email='$username' and account='active'", $connection);

它只返回帐户处于活动状态且匹配用户名和密码的行。

答案 2 :(得分:0)

    <link rel="stylesheet" href="http://code.jquery.com/ui/1.11.2/themes/smoothness/jquery-ui.css" />

    <script src="http://code.jquery.com/jquery-1.10.2.js" type="text/javascript"></script>
    <script src="http://code.jquery.com/ui/1.11.2/jquery-ui.js" type="text/javascript"></script>


<script type="text/javascript" language="javascript">
    $(function() {
        $("#datepicker1").datepicker({});
    });
    enter code here

</script>
</head>

更改您的代码,如下所示:

$query = mysql_query("select * from login where password='$password' AND email='$username' AND account = 'active'");

N.B:您不应该使用// Selecting Database $db = mysql_select_db("company", $connection); /*remove below line $valid=mysql_query("select account from login where account='active'",$connection); $acc=mysql_fetch_assoc($valid); echo $acc['account']; if($valid==1){ */ // SQL query to fetch information of registerd users and finds user match. $query = mysql_query("select * from login where password='$password' AND email='$username' And account = 'active'"); $rows = mysql_num_rows($query); if($rows > 0){ //keep next lines as they are. just remove last '}' 函数,因为它们已经从PHP 7.0.0中删除了,因为它们很容易被SQL注入。

相关问题
最新问题