<?php
session_start();
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$bool = true;
mysql_connect("localhost", "root", "") or die (mysql_error()); //Connect to server
mysql_select_db("first_db") or die ("Cannot connect to database"); //Connect to database
$query = mysql_query("Select * from users WHERE username='$username'"); // Query the users table
$exists = mysql_num_rows($query); //Checks if username exists
$table_users = "":
$table_password = "";
if($exists > 0) //IF there are no returning rows or no existing username
{
while($row = mysql_fetch_assoc($query)) // display all rows from query
{
$table_users = $row['username']; // the first username row is passed on to $table_users, and so on until the query is finished
$table_password = $row['password']; // the first password row is passed on to $table_password, and so on until the query is finished
}
if(($username == $table_users) && ($password == $table_password))// checks if there are any matching fields
{
if($password == $table_password)
{
$_SESSION['user'] = $username; //set the username in a session. This serves as a global variable
header("location: home.php"); // redirects the user to the authenticated home page
}
}
else
{
Print '<script>alert("Incorrect Password!");</script>'; // Prompts the user
Print '<script>window.location.assign("login.php");</script>'; // redirects to login.php
}
}
else
{
Print '<script>alert("Incorrect username!");</script>'; // Prompts the user
Print '<script>window.location.assign("login.php");</script>'; // redirects to login.php
}
?>
<head>
<title>My first PHP website</title>
</head>
<body>
<h2>Login Page</h2>
<a href="index.php">Click here to go back</a><br/><br/>
<form action="checklogin.php" method="post">
Enter Username: <input type="text" name="username" required="required"/> <br/>
Enter Password: <input type="password" name="password" required="required" /> <br/>
<input type="submit" value="Login"/>
</form>
</body>
这是我应该检查登录并引导您到index.php页面的代码,但它没有做任何事情。我的所有用户名和密码都存储在我的数据库中 最后一点代码是用于创建登录页面的代码,我不确定是什么阻止了登录?所有用户都正确地存储在数据库中,但当我使用它们登录时,页面只是快速刷新并且什么都不做
答案 0 :(得分:0)
要扩展我关于使用print语句确保您的代码正在执行而不需要检查用户密码两次的评论,请参阅以下更改:
<?php
session_start();
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$bool = true;
mysql_connect("localhost", "root", "") or die (mysql_error()); //Connect to server
mysql_select_db("first_db") or die ("Cannot connect to database"); //Connect to database
$query = mysql_query("Select * from users WHERE username='$username'"); // Query the users table
$exists = mysql_num_rows($query); //Checks if username exists
$table_users = "":
$table_password = "";
if($exists > 0) //IF there are no returning rows or no existing username
{
while($row = mysql_fetch_assoc($query)) // display all rows from query
{
$table_users = $row['username']; // the first username row is passed on to $table_users, and so on until the query is finished
$table_password = $row['password']; // the first password row is passed on to $table_password, and so on until the query is finished
}
if($password == $table_password) //check password match
{
Print 'password matched';
$_SESSION['user'] = $username; //set the username in a session. This serves as a global variable
header("location: home.php"); // redirects the user to the authenticated home page
}
else
{
Print '<script>alert("Incorrect Password!");</script>'; // Prompts the user
Print '<script>window.location.assign("login.php");</script>'; // redirects to login.php
}
}
else //user doesnt exist and/or no rows returned
{
Print '<script>alert("Incorrect username!");</script>'; // Prompts the user
Print '<script>window.location.assign("login.php");</script>'; // redirects to login.php
}
?>
请注意,我已删除:
if(($username == $table_users) && ($password == $table_password))
因为如果没有通过SQL查询找到的用户名匹配,并且如果匹配,那么该行将永远不会被执行,无论如何,密码将在下一个if语句中进行比较。
我已将Print语句添加到if($password == $table_password) //check password match代码块中,以便您可以查看此部分代码是否实际执行。如果是,那么header()不会重定向,如果没有,则问题出在其他地方。
最后,正如评论中所提到的,这是一些易受SQL注入攻击的不安全代码。您应该考虑在MySQLi中使用PDO或预处理语句。您当前的解决方案适用于大学,但在现实世界中,这是另一个漏洞。在这方面,还要披露用户名或密码是否不正确存在安全风险,您应该选择“无效登录”而不是:)