我正在输入任何密码,但我已经成功登录。我很困惑。
php代码:
// LOGIN USER
// variable declaration
$email = "";
$mobile = "";
$under_userid = "";
$errors = array();
$_SESSION['success'] = "";
require('php-includes/connect.php');
session_start();
if (isset($_POST['login_user'])) {
$email = mysqli_real_escape_string($con, $_POST['email']);
$password = mysqli_real_escape_string($con, $_POST['password']);
if (empty($email)) {
array_push($errors, "Email is required");
}
if (empty($password)) {
array_push($errors, "Password is required");
}
if (count($errors) == 0) {
$Hpassword = hash('sha512', $_POST['password']);
$query = "SELECT * FROM user WHERE email='$email' AND password='$Hpassword'";
$mysqli_query = mysqli_query($con, $query);
$_SESSION['userid'] = $email;
$_SESSION['id'] = session_id();
$_SESSION['login_type'] = "user";
$_SESSION['user_id'] = $row['user_id'];
echo '<script>alert("Login Success.");window.location.assign("home.php");</script>';
}
}
请帮助我
答案 0 :(得分:1)
您成功登录,因为没有脚本可以跟踪提供的密码不正确或正确的脚本。因此,您需要添加以下if语句进行检查,
if(mysqli_num_rows($mysqli_query) > 0){
$_SESSION['userid'] = $email;
$_SESSION['id'] = session_id();
$_SESSION['login_type'] = "user";
$_SESSION['user_id'] = $row['user_id'];
echo '<script>alert("Login Success.");window.location.assign("home.php");</script>';
}
mysqli_num_rows()将从数据库中获取匹配数据的行,如果存在if-statement为真,则您将只能成功登录。否则,它将失败,您可以向用户显示错误。
答案 1 :(得分:1)
此处不检查用户名和密码是否正确。
tf.boolean_mask()如果条件与下面的用户名或密码匹配,请使用以下内容进行纠正
if (count($errors) == 0) {
$Hpassword = hash('sha512', $_POST['password']);
$query = "SELECT * FROM user WHERE email='$email' AND password='$Hpassword'";
$mysqli_query = mysqli_query($con, $query);
$_SESSION['userid'] = $email;
$_SESSION['id'] = session_id();
$_SESSION['login_type'] = "user";
$_SESSION['user_id'] = $row['user_id'];
echo '<script>alert("Login Success.");window.location.assign("home.php");</script>';
}