Question

我有一个名为login.php的登录页面，其中包含以下php代码：

  <?php
    session_start();
    include ('databaseconnect.php');

 if(isset($_POST['login'])){
   $username = mysqli_real_escape_string($db, $_POST['username']);
   $password = mysqli_real_escape_string($db, $_POST['password']);

 $query = "select Username, Userid, user_type from Users
           where username = '$username'
           and password = '$password' LIMIT 1";
 $result = mysqli_query($db, $query);

 if (mysqli_num_rows($result) == 1) {
    $username = mysqli_fetch_assoc($result);
 if ($username ['user_type'] == 'owner') {
        $_SESSION['username'] = $username['Username'];    
        $_SESSION['userid'] = $userid['Userid'];          
        $_SESSION['user_type'] = $user_type['user_type']; 
        header('location:adminmain.php');
}else{
    $_SESSION['username'] = $username['Username'];       
    $_SESSION['userid'] = $userid['Userid'];             
    $_SESSION['user_type'] = $user_type['user_type'];    
    header('location:usermain.php');
      }
     }
    }
   }
  ?>

一个人的用户名＆＃39;，＆＃39;用户ID＆＃39;和＆＃39; user_type＆＃39;从他们登录时开始假设是$ _SESSION。当一个人登录时，会出现一个名为create_topic.php的页面，其中包含以下代码：

    <?php
      include ('dataconnect.php');

      $sql1= "SELECT Categoryid, Categoryname, Categorydescription 
             FROM Categories"; 
      $result1 = mysqli_query($db,$sql1);

   if (!$result1)
      {
     echo "No Category Found, Contact the administrator" </p>; 
      }

   function getPosts()
   {
    $posts = array();
    $posts[0] = $_POST['topic_subject'];
    $posts[1] = $_POST['topic_category'];
    $posts[2] = $_SESSION['username']; var_dump($_SESSION);
    return $posts;
   } 

   if (isset($_POST['createtopicbutton'])) 
    {  

   $data = getPosts();

   $sql2 = "INSERT INTO Topics(Topic_subject, Topic_category, Topic_by)          
              VALUES('$data[0]','$data[1]', '$data[2]')";

   $result2 = mysqli_query($db,$sql2);

   if ($result2)
    {
       echo  "<p> Topic Successfully Created </p>";
  }else{
       echo "<p> Topic NOT! Successfully Created, Contact the administrator 
              </p>. mysqli_error($db); 
       } 
      }
    ?>

但是，当执行上面的代码时，我收到以下错误：

您的SQL语法有错误;检查手册对应于您的MySQL服务器版本，以便使用正确的语法接近＆＃39;不正确的整数值：＆＃39;＆＃39;对于专栏＆＃39; Topic_by＆＃39;在第1行价值观（＆＃39; t＆＃39;第1行。

所以我做了一个var_dump我发现了这个：

 array (size=3)
 'username' => string 'Owner1' (length=6)
 'userid' => null
 'user_type' => null.

所以我特别要问的是＆＃39;用户名＆＃39;存储，但＆＃39;用户ID＆＃39;和＆＃39; user_type＆＃39;在login.php页面上声明时为null。非常感谢您的帮助和帮助。

Answer 1

您的变量不正确，请尝试：

 if (isset($_POST['login']))
{
    $username = mysqli_real_escape_string($db, $_POST['username']);
    $password = mysqli_real_escape_string($db, $_POST['password']);

    $query = "select Username, Userid, user_type from Users
           where username = '$username'
           and password = '$password' LIMIT 1";
    $result = mysqli_query($db, $query);

    if (mysqli_num_rows($result) == 1)
    {
        $user = mysqli_fetch_assoc($result);
        if ($user ['user_type'] == 'owner')
        {
            $_SESSION['username'] = $user['Username'];
            $_SESSION['userid'] = $user['Userid'];
            $_SESSION['user_type'] = $user['user_type'];
            header('location:adminmain.php');
        } else
        {
            $_SESSION['username'] = $user['Username'];
            $_SESSION['userid'] = $user['Userid'];
            $_SESSION['user_type'] = $user['user_type'];
            header('location:usermain.php');
        }
    }
}

仅定义了$username，$userid和$user_type不是，user_type和userid是$username的索引，而不是单独的变量。因此，请使用$user，以便更具可读性。

警告！

Little Bobby说 your script is at risk for SQL Injection Attacks. 了解prepared的MySQLi语句。即使escaping the string也不安全！

$ _SESSION变量仅存储某些值

1 个答案:

警告！