Question

我想使用PHP和MySQL登录，但每次它都会转到其他部分，尽管所有user_name和user_pass都来自数据库，并将其用作纯文本而不加密。

这是登录的代码：

<?php
include("config.php");

if(isset($_POST['login'])) {
    $user_name = mysql_real_escape_string($_POST['user_name']);
    $user_pass = mysql_real_escape_string($_POST['user_pass']);
    //$encrypt=md5($user_pass);
    $admin_query = mysql_query("select user_name,user_pass from admin where `user_name` = '$user_name' AND `user_pass` = '$user_pass' ");
    //$run= mysql_query($admin_query);
    $row = mysql_num_rows($admin_query); //if user_name and user_pass is correct it must return atlest one
    $row_ar =mysql_fetch_array($admin_query);

    if( $row == 1 && $row_ar['user_pass']==$user_pass) {
        $_SESSION['user_name'] = $user_name;
        echo "<script>window.open('index.php','_self')</script>";
    } else {
        echo"<script>alert('User name or password is incorrect!')</script>";
    }
}
?>

数据库有一个表管理员，它有3个字符id , user_name ,user_pass 每个项目都是纯文本。

Answer 1

$admin_query = mysql_query("select user_name,user_pass from admin where `user_name` = '$user_name' AND `user_pass` = '$user_pass' ");

在您的上述声明中，您使用user_name ='$ user_name'和user_pass ='$ user_pass'。而不是你可以使用：

$admin_query = mysql_query("select user_name,user_pass from admin where user_name = '".$user_name."' AND user_pass='".$user_pass."' ");

Answer 2

使用mysqli OR PDO执行数据库操作，因为不推荐使用mysql扩展。 mysqli_real_escape_string()函数转义字符串中的特殊字符，以便在SQL语句中使用。您还必须将连接对象作为参数传递。

include("config.php");

if(isset($_POST['login'])) {

$user_name = mysqli_real_escape_string($con,$_POST['user_name']);//$con is database connection object
$user_pass = mysqli_real_escape_string($con,$_POST['user_pass']);
//$encrypt=md5($user_pass);
$admin_query = mysqli_query("select user_name,user_pass from admin where `user_name` = '$user_name' AND `user_pass` = '$user_pass' ");
//$run= mysql_query($admin_query);
$row = mysqli_num_rows($admin_query); //if user_name and user_pass is correct it must return atlest one
$row_ar =mysqli_fetch_array($admin_query);

if( $row == 1 && $row_ar['user_pass']==$user_pass) {
    $_SESSION['user_name'] = $user_name;
    echo "<script>window.open('index.php','_self')</script>";
}
else {
    echo"<script>alert('User name or password is incorrect!')</script>";
}

}

无法使用PHP MySQL登录

2 个答案: