我正在尝试修复我的登录系统但是当我尝试没有改变时。我遇到的问题是,当用户登录时,他们不需要正确的用户名和密码,他们只需要正确的密码。我试图自己解决这个问题,但是我弄得一团糟,所以我点击了撤消按钮并来到这里寻求帮助。有人能帮我吗 ? :)我真的很感激;)
login.php:
//check if form is submitted
if ( $_SERVER['REQUEST_METHOD'] != 'POST' || ! isset($_POST['signin']))
{
// looks like a hack, send to index.php
header('Location: index.php');
exit;
}
if (empty($_POST["usernam"])) {
echo 'fill in username to sign in . ';
}
if (empty($_POST["pw"])) {
echo 'fill in password to sign in . ';
}
$sql = "SELECT pw FROM users WHERE usernam = ?";
$stmt = mysqli_prepare($conn, $sql);
if ( !$stmt ) {
echo mysqli_error($conn);
exit;
}
$stmt->bind_param('s', $_POST['pw']);
$stmt->execute();
if ( !$stmt ) {
echo mysqli_error($conn);
exit;
}
// we found a row with that username,
// now we need to check the password is correct
// get the password from the row
$stmt->bind_result($hashed_pwd);
$stmt->fetch();
if ( password_verify($_POST['pw'], $hashed_pwd) ) {
// password verified
header('Location: home.php');
} else {
echo 'Incorrect username or Password. <a href= index.php>Try again</a><br />';
}
答案 0 :(得分:0)
您没有检查查询是否返回了用户名行,您检查的是SELECT查询是否成功执行,因此用户名似乎始终正确
我建议你尝试获取返回的行并检查它是否为空,否则用户名无效。
if ( !$stmt ) { //you should check for !empty(content of returned row) instead
echo mysqli_error($conn);
exit;
}
希望有所帮助
修改
...
$sql = "SELECT pw FROM users WHERE usernam = ?";
$stmt = mysqli_prepare($conn, $sql);
if ( !$stmt ) {
echo mysqli_error($conn);
exit;
}
// changes start here
$stmt->bind_param('s', $_POST['usernam']);
$stmt->execute();
$result = $stmt->get_result();
$row = $result->fetch_assoc();
if ( empty( $row ) { // i removed the ! here
echo mysqli_error($conn);
exit;
}
// changes end here
// we found a row with that username,
// now we need to check the password is correct
// get the password from the row
$stmt->bind_result($hashed_pwd);
$stmt->fetch();
...
并且你还以某种方式使用$ _POST ['pw']代替$ _POST ['usernam']