使用PDO登录无法从MySQL获取数据

时间:2018-10-16 22:17:22

标签: php pdo

我的代码有问题,它使用任何用户名和密码登录,而未从数据库验证它,请在下面进行更多说明 我有2个表,一个用于用户名,另一个用于密码,我试图使我的代码像这样 用户表中包含:ID,用户名,电话,电子邮件 密码表有:ID,用户名,密码

通过user_id字段与用户ID连接的每个密码

我希望我的代码像这样工作 如果与密码相同的一行中的用户名,电子邮件或电话具有与登录名相同的user_id

示例 使用者表格:1,eddy,edd @ example.com,4493838 密码表:1、1(请注意:这是来自用户表的用户ID),阿尔法

<?php
$servername = "localhost";$username = "username";$password = "password";$dbname = "myDBPDO";
if(!empty($_SESSION['LoggedIn']) && !empty($_SESSION['Username']))
{?>

Welcome <? echo $_SESSION['users_id'] ?>
<?php
}
elseif(!empty($_POST['various-login']) && !empty($_POST['password']))
{
// PDO   
try {
$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

// Database
$stmt = $conn->prepare("SELECT id as users_id, username, email, phone FROM users"); 
$stmt->execute();

$stmt = $conn->prepare("SELECT id as passwords_id, user_id, password FROM passwords"); 
$stmt->execute();

$userRow=$stmt->fetch(PDO::FETCH_ASSOC);


$various_login= $_POST['various-login'] == $userRow['email'] or $userRow['phone'];
$user_and_password = $userRow['users_id'] === $userRow['user_id'];  
$password = $_POST['password'] == $user_and_password;    

if($stmt->rowCount() == 1)
{

    $email = $userRow['email'];
    $_SESSION['Username'] = $username;
    $_SESSION['email'] = $email;
    $_SESSION['LoggedIn'] = 1;

    echo "<h1>Success</h1>";
    echo $email;
} 
else
{
    echo "<h1>Error</h1>";
    echo "<p>Sorry, your account could not be found. Please <a href=\"index.php\">click here to try again</a>.</p>";
}}
catch(PDOException $e) {
echo "Error: " . $e->getMessage();
}
$conn = null;
} else {?>

<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
Email/Phone: <input type="text" name="various-login" value="<?php echo $website;?>">
<br><br>
Password: <input type="password" name="password">
<br><br>
<input type="submit" name="submit" value="<?php echo $lang['NEXT']; ?>">  
</form> 
<?php}?>

2 个答案:

答案 0 :(得分:0)

使用此:(对于SQLi不安全)

<?php
$servername = "localhost";$username = "username";$password = "password";$dbname = "myDBPDO";
if(!empty($_SESSION['LoggedIn']) && !empty($_SESSION['Username']))
{
    echo "Welcome ".$_SESSION['Username'];
}
elseif(!empty($_POST['various-login']) && !empty($_POST['password']))
{  
    try {
        $conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
        $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
        // Database
        $stmt = $conn->prepare("SELECT id, username, email, phone FROM users WHERE lower(username) = '".strtolower($_POST['various-login'])."' OR lower(email) = '".strtolower($_POST['various-login'])."' OR phone = '".strtolower($_POST['various-login'])."'"); 
        $stmt->execute();
        $userdata = $stmt->fetch(PDO::FETCH_ASSOC);
        if(!empty($userdata["id"]))
        {
            $stmt = $conn->prepare("SELECT id, user_id, password FROM passwords WHERE user_id = '".$userdata["id"]."' AND password = '".$_POST["password"]."'"); 
            $stmt->execute();
            $password_data = $stmt->fetch(PDO::FETCH_ASSOC);
            if(!empty($password_data["id"]))
            {
                $_SESSION['users_id'] = $userdata["id"]
                $_SESSION['Username'] = $userdata["username"];
                $_SESSION['email'] = $userdata["email"];
                $_SESSION['LoggedIn'] = 1;
                echo "<h1>Success</h1>";
                echo $email;
            }
            else
            {
                echo "<h1>Error</h1>";
                echo "<p>Sorry, your account password is not valid. Please <a href=\"index.php\">click here to try again</a>.</p>";
            }
        }else{
            echo "<h1>Error</h1>";
            echo "<p>Sorry, your account could not be found. Please <a href=\"index.php\">click here to try again</a>.</p>";
        }
    } catch(PDOException $e) {
        echo "Error: " . $e->getMessage();
    }
    $conn = null;
} else {?>

<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
    Email/Phone: 
    <input type="text" name="various-login" value="<?php echo $website;?>">
    <br><br>
    Password: <input type="password" name="password">
    <br><br>
    <input type="submit" name="submit" value="<?php echo $lang['NEXT']; ?>">  
</form> 
<?php } ?>

答案 1 :(得分:0)

我强烈建议您使用联接,以便它是1条SQL语句,以及清理和验证您的输入。

SELECT users.*
FROM users 
JOIN passwords ON passwords.user_id = users.id
WHERE (users.email = :email
OR users.phone = :phone)
AND passwords.password = :password

这是到准备好的语句的文档的链接。建议您重新阅读该书,以了解为什么现有代码不起作用(提示:您正在选择所有记录)。 http://php.net/manual/en/pdo.prepared-statements.php

  1. 创建您的PDO连接
  2. 创建您的SQL
  3. 绑定参数
  4. 执行查询
  5. 如果有一行,则找到了该用户。

我确定您已经意识到使用纯文本密码的问题,并假定这是一种分配,而不是生产中使用的东西。

相关问题
最新问题