这是我的代码,即使只是点击提交按钮,它也会提供登录成功。
$username = isset($_POST['username']);
$password = isset($_POST['password']);
//sql dtabase conn
$conn = mysqli_connect("localhost","root","","login");
//query the dtabase for user
$result = mysqli_query($conn, "select * from users where username =
'$username' and password = '$password'")or die("failed to query database".mysqli_connect_error());
$row = mysqli_fetch_array ($result);
if($row['username'] == $username && $row['password'] == $password && (""
!== $username || "" !== $password)){
echo "Login success".$row['username'];
}else{
echo "Failed to login";
}
我是初学者。请帮帮我
答案 0 :(得分:2)
您正在使用isset检查有效负载的用户名/密码。这会返回true / false,而不是值。因此,您永远不会匹配数据库中的记录,并且您永远不会匹配您的凭据检查条件(匹配或"")
尝试类似
的内容$username = isset($_POST['username']) ? $_POST['username'] : false;
如果未设置,则会将$username设置为等于$_POST['username']值或设置为false。然后你可以用以下内容测试它:
if (($username && $password) and ($username == $row['username'] and $password == $row['password']))
哪个应该比你更接近你。
另一点 - 您需要使用某种散列机制来获取密码。你得到它的方式看起来你正在搜索明文密码值(除非你在前端进行散列,我猜)。切勿将密码以明文形式存储在数据库中。
答案 1 :(得分:0)
你的IF声明中的最后一个条件||是的,密码不是空的,因为你的isset()总会返回一个值,它总是会成功。
$username = $_POST['username'];
$password = $_POST['password'];
//sql dtabase conn
$conn = mysqli_connect("localhost","root","","login");
//query the dtabase for user
$result = mysqli_query($conn, "select * from users where username =
'$username' and password = '$password'")or die("failed to query database".mysqli_connect_error());
$row = mysqli_fetch_array ($result);
if($row['username'] == $username && $row['password'] == $password){
echo "Login success".$row['username'];
}else{
echo "Failed to login";
}