我一直试图让这段代码工作,我改变它以前的方式。你能发现问题吗?如果登录正确,我仍然会收到“用户名或密码不正确”。 请帮助这里是代码:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en" >
<head>
<title>Login | JM Today </title>
<link href="Mainstyles.css" type="text/css" rel="stylesheet" />
</head>
<body>
<div class="container">
<?php include("header.php"); ?>
<?php include("navbar.php"); ?>
<?php include("cleanquery.php") ?>
<div id="wrap">
<?php
ini_set('display_errors', 'On');
error_reporting(E_ALL ^ E_NOTICE | E_STRICT);
$conn=mysql_connect("localhost", "***", "***") or die(mysql_error());
mysql_select_db('jmtdy', $conn) or die(mysql_error());
if(( strlen($_POST['user']) >0) && (strlen($_POST['pass']) >0) && isset($_POST['sublogin'])) {
checklogin($_POST['user'], $_POST['pass']);
}
elseif(( strlen($_POST['user']) ==0) || (strlen($_POST['pass']) ==0)){
echo '<p class="statusmsg">You didn\'t fill in the required fields.</p><br/><input type="button" value="Retry" onClick="location.href='."'login.php'\">";
return;
}
else{
echo '<p class="statusmsg">You came here by mistake, didn\'t you?</p><br/><input type="button" value="Retry" onClick="location.href='."'login.php'\">";
return;
}
function checklogin($username, $password){
$username=mysql_real_escape_string($username);
$password=mysql_real_escape_string($password);
$result=mysql_query("select username from users where username = '$username'");
if($result != false){
$dbArray=mysql_fetch_array($result);
$dbArray['password']=mysql_real_escape_string($dbArray['password']);
$dbArray['username']=mysql_real_escape_string($dbArray['username']);
if(($dbArray['password'] != $password ) || ($dbArray['username'] != $username)){
echo '<p class="statusmsg">The username or password you entered is incorrect. Please try again.</p><br/><input type="button" value="Retry" onClick="location.href='."'login.php'\">";
return;
}
$_SESSION['username']=$username;
$_SESSION['password']=$password;
if(isset($_POST['remember'])){
setcookie("jmuser",$_SESSION['username'],time()+60*60*24*356);
setcookie("jmpass",$_SESSION['username'],time()+60*60*24*356);
}
}
else{
echo'<p class="statusmsg"> The username or password you entered is incorrect. Please try again.</p><br/>input type="button" value="Retry" onClick="location.href='."'login.php'\">";
return;
}
}
?>
</div>
<br/>
<br/>
<?php include("footer.php") ?>
</div>
</body>
</html>
答案 0 :(得分:1)
您只是从数据库中选择username,但您尝试将password与不存在的返回结果进行比较。您还需要选择password,否则与提供的密码的比较将始终为false或错误。
编辑:此外,我刚刚意识到您似乎以纯文本格式存储密码。 Please don't do that
答案 1 :(得分:0)
在将用户名传递给数据库之前,应该使用mysql_real_escape_string。否则代码很容易受到SQL注入攻击。 问题是您没有在选择中提取密码。