public function verify_login($email, $password) {
$this->Connect();
`email`=`$email` AND `password`=`$password` ";
$sql = "SELECT email,password FROM `users_details` WHERE
`email`='$email' AND `password`='$password' ";
if ($this->res=mysqli_query($this->ind_connect, $qry)) {
$num_row = mysqli_num_rows($this->res);
$row = mysqli_fetch_assoc($this->res);
if ($num_row == 1) {
echo 'true';
$_SESSION['email'] = $row['email'];
$_SESSION['password'] = $row['password'];
}
} else {
echo 'errr';
}
$this->Disconnect();
}
你好我正在尝试做简单的查询和函数" mysqli_query($ this-> ind_connect,$ qry)"一直回到我的虚假
1.连接返回" true"
2.我正在尝试将查询更改为最简单的查询,例如来自users_details的" SELECT *,并且mysqli_query再次返回false。
答案 0 :(得分:0)
你有很多问题,但这是我会尝试的:
public function verify_login($email, $password) {
$conn = $this->Connect(); //Make sure $this->Connect(); returns the connection. (Where mysqli_connect(host,user,pass,dbname); is called)
//Never inject variables into SQL without escaping the information first for SQL security reasons.
$email = mysqli_real_escape_string($conn, $email);
$password = mysqli_real_escape_string($conn, $password);
$query = "`email`='$email' AND `password`='$password';";
$sql = "SELECT `email`, `password` FROM `users_details` WHERE $query";
if ($this->res=mysqli_query($this->ind_connect, $qry)) {
$num_row = mysqli_num_rows($this->res);
$row = mysqli_fetch_assoc($this->res);
if ($num_row == 1) {
echo 'true';
$_SESSION['email'] = $row['email'];
$_SESSION['password'] = $row['password'];
}
} else {
echo 'errr';
}
$this->Disconnect();
}
我注意到你的一条SQL行使用的是``而不是正确的''使用电子邮件和密码值检查单引号。名称应该在``中,并且值应该始终在''中,除非处理其他数据类型。
我强烈建议修复安全问题,因为可以进行SQL注入。
我建议您切换到更现代和更安全的东西,例如PDO用于数据库连接。