我的登录表单即使用错误的用户名和密码也能正常运行。我试过寻找答案,但我找不到自己的错误。这是代码:
<?php
include 'database.php'; ?>
<?php
if($_SERVER["REQUEST_METHOD"] == "POST"){
$username = mysqli_real_escape_string($connect,$_POST['username']);
$password = mysqli_real_escape_string($connect,$_POST['password']);
$query = "SELECT username, password FROM tbl_membership WHERE username =
'$username' AND password = '$password'";
$result = mysqli_query($connect, $query);
$row = mysqli_fetch_array($result,MYSQLI_ASSOC);
$active = $row['active'];
$count = mysqli_num_rows($result);
if(mysqli_num_rows($query) > 0){
$_SESSION["username"] = $username;
$_SESSION["password"] = $password;
header("location: welcome.php");
exit();
}if (mysqli_num_rows($query) != 0){
echo "Invalid.";
}
}
?>
答案 0 :(得分:1)
<强> 1 强>
看看这一行:
if(mysqli_num_rows($query) > 0) {
变量$query
在这里是一个字符串。您需要使用刚刚设置的$count
变量。
// Check if we have a result and just one result
if($count == 1) {
<强> 2 强>
如果有一个结果,您只需要获取行内容。
$count = mysqli_num_rows($result);
if ($count == 1) {
$row = mysqli_fetch_array($result,MYSQLI_ASSOC);
$active = $row['active'];
}
第3:强>
尝试使用预准备语句来避免SQL注入。在这种情况下,逃避你的字符串是一个好的开始。
$stmt = $conn->prepare("SELECT username, password FROM tbl_membership WHERE username =? AND password =?");
$stmt->bind_param('ss', $username, $password);
$stmt->execute();
$get_result = $stmt->get_result();
$row_count = $get_result->num_rows;
if ($row_count == 1) {
$row = $get_result->fetch_assoc();
$active = $row['active'];
$_SESSION["username"] = $username;
header("location: welcome.php");
exit();
} else {
echo "Invalid.";
}
<强> 4 强>
不要将密码保存为纯文本。强烈建议您这样做,并为您的客户/访问者带来安全问题。请改用某种形式的哈希。 Read the documentation for more info
答案 1 :(得分:0)
if($_SERVER["REQUEST_METHOD"] == "POST"){
$username = mysqli_real_escape_string($connect,$_POST['username']);
$password = mysqli_real_escape_string($connect,$_POST['password']);
$query = "SELECT username, password FROM tbl_membership WHERE username =
'$username' AND password = '$password'";
$result = mysqli_query($connect, $query);
$row = mysqli_fetch_assoc($result);
$count = mysqli_num_rows($result);
if($count > 0){
$_SESSION["username"] = $row['username'];
$_SESSION["password"] = $row['password'];//no need to use password in session
header("location: welcome.php");
}else{
echo "Invalid.";
}
}