我想使用PHP和MySQL登录,但每次它都会转到其他部分,尽管所有user_name和user_pass都来自数据库,并将其用作纯文本而不加密。
这是登录的代码:
<?php
include("config.php");
if(isset($_POST['login'])) {
$user_name = mysql_real_escape_string($_POST['user_name']);
$user_pass = mysql_real_escape_string($_POST['user_pass']);
//$encrypt=md5($user_pass);
$admin_query = mysql_query("select user_name,user_pass from admin where `user_name` = '$user_name' AND `user_pass` = '$user_pass' ");
//$run= mysql_query($admin_query);
$row = mysql_num_rows($admin_query); //if user_name and user_pass is correct it must return atlest one
$row_ar =mysql_fetch_array($admin_query);
if( $row == 1 && $row_ar['user_pass']==$user_pass) {
$_SESSION['user_name'] = $user_name;
echo "<script>window.open('index.php','_self')</script>";
} else {
echo"<script>alert('User name or password is incorrect!')</script>";
}
}
?>
数据库有一个表管理员,它有3个字符id , user_name ,user_pass
每个项目都是纯文本。
答案 0 :(得分:1)
$admin_query = mysql_query("select user_name,user_pass from admin where `user_name` = '$user_name' AND `user_pass` = '$user_pass' ");
在您的上述声明中,您使用user_name
='$ user_name'和user_pass
='$ user_pass'。而不是你可以使用:
$admin_query = mysql_query("select user_name,user_pass from admin where user_name = '".$user_name."' AND user_pass='".$user_pass."' ");
答案 1 :(得分:0)
使用mysqli
OR PDO
执行数据库操作,因为不推荐使用mysql扩展。 mysqli_real_escape_string()
函数转义字符串中的特殊字符,以便在SQL语句中使用。您还必须将连接对象作为参数传递。
include("config.php");
if(isset($_POST['login'])) {
$user_name = mysqli_real_escape_string($con,$_POST['user_name']);//$con is database connection object
$user_pass = mysqli_real_escape_string($con,$_POST['user_pass']);
//$encrypt=md5($user_pass);
$admin_query = mysqli_query("select user_name,user_pass from admin where `user_name` = '$user_name' AND `user_pass` = '$user_pass' ");
//$run= mysql_query($admin_query);
$row = mysqli_num_rows($admin_query); //if user_name and user_pass is correct it must return atlest one
$row_ar =mysqli_fetch_array($admin_query);
if( $row == 1 && $row_ar['user_pass']==$user_pass) {
$_SESSION['user_name'] = $user_name;
echo "<script>window.open('index.php','_self')</script>";
}
else {
echo"<script>alert('User name or password is incorrect!')</script>";
}
}