我有一个名为login.php的登录页面,其中包含以下php代码:
<?php
session_start();
include ('databaseconnect.php');
if(isset($_POST['login'])){
$username = mysqli_real_escape_string($db, $_POST['username']);
$password = mysqli_real_escape_string($db, $_POST['password']);
$query = "select Username, Userid, user_type from Users
where username = '$username'
and password = '$password' LIMIT 1";
$result = mysqli_query($db, $query);
if (mysqli_num_rows($result) == 1) {
$username = mysqli_fetch_assoc($result);
if ($username ['user_type'] == 'owner') {
$_SESSION['username'] = $username['Username'];
$_SESSION['userid'] = $userid['Userid'];
$_SESSION['user_type'] = $user_type['user_type'];
header('location:adminmain.php');
}else{
$_SESSION['username'] = $username['Username'];
$_SESSION['userid'] = $userid['Userid'];
$_SESSION['user_type'] = $user_type['user_type'];
header('location:usermain.php');
}
}
}
}
?>
一个人的用户名&#39;,&#39;用户ID&#39;和&#39; user_type&#39;从他们登录时开始假设是$ _SESSION。当一个人登录时,会出现一个名为create_topic.php的页面,其中包含以下代码:
<?php
include ('dataconnect.php');
$sql1= "SELECT Categoryid, Categoryname, Categorydescription
FROM Categories";
$result1 = mysqli_query($db,$sql1);
if (!$result1)
{
echo "No Category Found, Contact the administrator" </p>;
}
function getPosts()
{
$posts = array();
$posts[0] = $_POST['topic_subject'];
$posts[1] = $_POST['topic_category'];
$posts[2] = $_SESSION['username']; var_dump($_SESSION);
return $posts;
}
if (isset($_POST['createtopicbutton']))
{
$data = getPosts();
$sql2 = "INSERT INTO Topics(Topic_subject, Topic_category, Topic_by)
VALUES('$data[0]','$data[1]', '$data[2]')";
$result2 = mysqli_query($db,$sql2);
if ($result2)
{
echo "<p> Topic Successfully Created </p>";
}else{
echo "<p> Topic NOT! Successfully Created, Contact the administrator
</p>. mysqli_error($db);
}
}
?>
但是,当执行上面的代码时,我收到以下错误:
您的SQL语法有错误;检查手册 对应于您的MySQL服务器版本,以便使用正确的语法 接近&#39;不正确的整数值:&#39;&#39;对于专栏&#39; Topic_by&#39;在第1行 价值观(&#39; t&#39;第1行。
所以我做了一个var_dump我发现了这个:
array (size=3)
'username' => string 'Owner1' (length=6)
'userid' => null
'user_type' => null.
所以我特别要问的是&#39;用户名&#39;存储,但&#39;用户ID&#39;和&#39; user_type&#39;在login.php页面上声明时为null。非常感谢您的帮助和帮助。
答案 0 :(得分:1)
您的变量不正确,请尝试:
if (isset($_POST['login']))
{
$username = mysqli_real_escape_string($db, $_POST['username']);
$password = mysqli_real_escape_string($db, $_POST['password']);
$query = "select Username, Userid, user_type from Users
where username = '$username'
and password = '$password' LIMIT 1";
$result = mysqli_query($db, $query);
if (mysqli_num_rows($result) == 1)
{
$user = mysqli_fetch_assoc($result);
if ($user ['user_type'] == 'owner')
{
$_SESSION['username'] = $user['Username'];
$_SESSION['userid'] = $user['Userid'];
$_SESSION['user_type'] = $user['user_type'];
header('location:adminmain.php');
} else
{
$_SESSION['username'] = $user['Username'];
$_SESSION['userid'] = $user['Userid'];
$_SESSION['user_type'] = $user['user_type'];
header('location:usermain.php');
}
}
}
仅定义了$username
,$userid
和$user_type
不是,user_type
和userid
是$username
的索引,而不是单独的变量。因此,请使用$user
,以便更具可读性。
Little Bobby说 your script is at risk for SQL Injection Attacks. 了解prepared的MySQLi语句。即使escaping the string也不安全!