这是一个小型登录和注册程序的代码。每次用户尝试登录此代码时,都会检查电子邮件和密码是否正确。如果在mysql提示符中输入,则相同的查询有效。 我无法弄清楚我的代码中有什么问题。每次输入有效的电子邮件和密码时,$ result都会变为FALSE。
<html>
<head>
<title>Log In</title>
</head>
<body>
<?php
$host = "localhost";
$user = "root";
$password = "password";
$database = "user";
$conn = mysqli_connect($host, $user, $password, $database);
if(!$conn) {
die("Connection Error: ".mysqli_connect_error($conn));
}
$query = "select email, password from user_info where email = \'$_POST[login_email]\' or password = \'$_POST[login_password]\'";
$result = mysqli_query($conn, $query);
if(!$result)
die("failure");
if(mysqli_num_rows($result) > 0) {
$details = mysqli_fetch_assoc($result);
if($details["email"] != $_POST["login_email"] && $details["password"] != $_POST["login_password"]) {
die("Invalid username or password.");
}
echo "successful";
}
else {
die("Don't have an account yet?. Please Sign Up to get started.");
}
?>
</body>
</html>
答案 0 :(得分:0)
在字符串中解析数组变量是一项棘手的操作:
pfullmem(
rss=12562432L,
vms=6787072L,
num_page_faults=3173,
peak_wset=12562432L,
wset=12562432L,
peak_paged_pool=194528L,
paged_pool=193856L,
peak_nonpaged_pool=10552L,
nonpaged_pool=9560L,
pagefile=6787072L,
peak_pagefile=6787072L,
private=6787072L,
uss=7380992L
)
应阅读:
$query = "select email, password from user_info where email = \'$_POST[login_email]\' or password = \'$_POST[login_password]\'";
但是,如果$query = "select email, password from user_info where email = ? or password=?"
$stmt=con.prepare($query)
$stmt->bind_param("s", $_POST[login_email]);
$stmt->bind_param("s", $_POST[password]);
$stmt->execute();
$stmt->bind_result($result);
$stmt->fetch();
正确或密码正确,那么您将获得结果。因此,对于此查询检查凭据,50%正确就足够了。
下一行也很有趣:
login_email因此两者都必须错误输出错误。再次只是拥有用户名或随机密码(甚至不知道它属于哪个用户),就足以登录了。有点奇怪。
答案 1 :(得分:0)
@lalithkumar是对的。但作为临时解决方案,您可以将$query行更改为以下
$query = "select email, password from user_info where email = '".$_POST["login_email"]."' or password = '".$_POST["login_password"]."'";