登录PHP不是使用数据库信息

时间:2018-05-25 03:01:59

标签: php

创建用户将信息保存到数据库中,但当我尝试签名时,只需自动登录,信息是否存储在数据库中。请帮忙。

这是我的server.php代码我认为问题出在这里,但我不确定。

<?php 
session_start();
// initializing variables
$username = "";
$email    = "";
$errors = array(); 
// connect to the database
$db = mysqli_connect('localhost', 'dbuser', 'dbpassword', 'dbname');


// REGISTER USER
if (isset($_POST['reg_user'])) {
  // receive all input values from the form
  $username = mysqli_real_escape_string($db, $_POST['username']);
  $email = mysqli_real_escape_string($db, $_POST['email']);
  $password_1 = mysqli_real_escape_string($db, $_POST['password']);
  $password_2 = mysqli_real_escape_string($db, $_POST['password_2']);

  // form validation: ensure that the form is correctly filled ...
  // by adding (array_push()) corresponding error unto $errors array
  if (empty($username)) { array_push($errors, "Username is required"); }
  if (empty($email)) { array_push($errors, "Email is required"); }
  if (empty($password_1)) { array_push($errors, "Password is required"); }
  if ($password_1 != $password_2) {
    array_push($errors, "The two passwords do not match");
  }

  // first check the database to make sure 
  // a user does not already exist with the same username and/or email
  $user_check_query = "SELECT * FROM loginsystem WHERE username='$username' OR email='$email' LIMIT 1";
  $result = mysqli_query($db, $user_check_query);
  $user = mysqli_fetch_assoc($result);

  if ($user) { // if user exists
    if ($user['username'] === $username) {
      array_push($errors, "Username already exists");
    }

    if ($user['email'] === $email) {
      array_push($errors, "email already exists");
    }
  }

  // Finally, register user if there are no errors in the form
  if (count($errors) == 0) {
    $password = md5($password_1);//encrypt the password before saving in the database

    $query = "INSERT INTO loginsystem (username, email, password) 
              VALUES('$username', '$email', '$password')";
    mysqli_query($db, $query);
    $_SESSION['username'] = $username;
    $_SESSION['success'] = "You are now logged in";
    header('location: home.php');
  }
}

// ... 
// ... 
// LOGIN USER
if (isset($_POST['login_user'])) {
  $username = mysqli_real_escape_string($db, $_POST['username']);
  $password = mysqli_real_escape_string($db, $_POST['password_1']);

  if (empty($username)) {
    array_push($errors, "Username is required");
  }
  if (empty($password)) {
    array_push($errors, "Password is required");
  }

  if (count($errors) == 0) {
    $password = md5($password);
    $query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
    $results = mysqli_query($db, $query);


      $_SESSION['username'] = $username;
      $_SESSION['success'] = "You are now logged in";
      header('location: home.php');
    }else {
        array_push($errors, "Wrong username/password combination");
    }
  }


?>

我的login.php是

<?php include('includes/server.php') ?>
<!DOCTYPE html>
<html>
<head>
  <title>Clout-Cloud | LOGIN</title>
  <link rel="stylesheet" type="text/css" href="css/style3.css">
</head>
<body>
<div class="container">
    <section id="content">
            <h1>CloutCloud Login</h1>
            <div>
    <form method="POST" action="login.php">
    <div class="input-group">
        <div class="input-group">
      <label>Username</label>
      <input type="text" name="username"  required>
    </div>
    <div class="input-group">
      <label>Password</label>
      <input type="password" name="password_1" required>
    </div>
    <div class="input-group">
      <button type="submit" class="button" name="login_user">Login</button>
    </div>
    <p>
    <a href="recoverpassword.php">Lost your password?</a>
                <a href="register.php">Register</a>
            </div>
            </div>
            </div>
        </form><!-- form -->
    </div>
    </section><!-- content -->
</div><!-- container -->
</body>

我没看到我真正出错的地方,但是有一个问题。请帮我解决。

更新 我尝试使用代码

从我的dabatase获取结果 
$password = md5($password);
    $query = "INSERT INTO loginsyle (username, password) 
                      VALUES('$username', $password')";
while($row = mysqli_fetch_assoc($result)) {
   $username = $row['username'];
   $password = $row['password']; 

}
    }else {
        array_push($errors, "Wrong username/password combination");
    }

尝试从我的查询中获取结果。虽然我认为其中的一部分已经解决了部分问题,即只能使用随机信息登录而没有注册表,但现在我得到了错误

Notice: Undefined variable: result in /home/u572108555/public_html/includes/server.php on line 72

Warning: mysqli_fetch_assoc() expects parameter 1 to be mysqli_result, null given in /home/u572108555/public_html/includes/server.php on line 72

可能导致这种情况的原因是什么?我试图以错误的方式从我的查询中获取结果吗?

2 个答案:

答案 0 :(得分:0)

您没有验证查询的结果。 您应该检查返回的结果数= 1,小于(0)=用户详细信息不匹配。超过这个(2+)并且您遇到重叠登录凭据或错误查询的问题。

我还建议不要使用MD5作为加密

正如其他人所提到的,你很容易受到SQL注入攻击,使用条带斜线和转义来解决这个问题,比如

$myusername = stripslashes($myusername);
$myusername = mysqli_real_escape_string($myusername);

找出你可以使用像这样的函数的结果数

$sql="SELECT * FROM $tbl_name WHERE ID='$myusername' and password= '$password'";  
$result=mysqli_query($sql);

// Mysqli_num_row is counting table row
$count=mysqli_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// user is logged in
}

答案 1 :(得分:-1)

您似乎无法验证$results = mysqli_query($db, $query)的结果。以下是代码,说明您需要做什么。

$results = mysqli_query($db, $query);
// Here you have to check the $result and see if you have one record selected.
// However you are not doing that currently.
$_SESSION['username'] = $username;
$_SESSION['success'] = "You are now logged in";

另一方面,你这样做的方式似乎有很多瑕疵。

  1. 一个名为server.php的文件具有所有例程。这将使您最终得到一个单片文件,这远不是可维护性。
  2. 您的SQL查询容易受到SQL注入攻击。使用准备好的陈述而不是你现在正在做的事情。
  3. 人们早就知道MD5会发生碰撞,因此很久以前就已经放弃了。甚至SHA1也不是那么安全。如果它是BCrypt或Blowfish,可以选择SHA256甚至更好的东西。
  4. 验证登录时,不要验证结果集中的记录数。而是检查它是否具有恰好一个记录,并且记录值是匹配的。
相关问题
最新问题