即使密码或用户名不正确,我的PHP登录系统仍在登录

时间:2019-07-19 07:03:57

标签: php authentication

即使用户名和密码不正确,也仍然登录,并且即使该值为null也会登录

<?php 

    $hostname = "localhost";
    $username = "root";
    $password = "";
    $dbname = "login";
    $conn = mysqli_connect($hostname, $username, $password, $dbname);
    if (!$conn) {
        die ("unable to connect");
    }

    if ($_POST) {
        $uname = $_POST ["username"];
        $pass = $_POST ["password"];

        $sql = "SELECT * FROM users WHERE username = '$uname' AND password = '$pass' LIMIT 1 ";
        $result = mysqli_query($conn, $sql);
        if (mysqli_num_rows($result) == 1){
            include("graph.php");
        } else {
            echo "Incorrect"; 
        }
    }
 ?>

2 个答案:

答案 0 :(得分:0)

首先,非常重要您容易受到SQL注入攻击,因此您应该使用准备好的语句,这是应如何使用代码的方法,但是echo "Incorrect";中的每种情况下,您应该给出不同的答案:

<?php

    $hostname = "localhost";
    $username = "root";
    $password = "";
    $dbname = "login";
    $conn = mysqli_connect($hostname, $username, $password, $dbname);
    if (!$conn) {
        die ("unable to connect");
    }

    if (isset($_POST["username"]) && isset($_POST["password"])) { // Check if you have posted data via POST
        $uname = $_POST["username"];
        $pass = $_POST["password"];

        $sql = "SELECT * FROM users WHERE username = ? AND password = ? LIMIT 1 ";

        if($stmt = $conn->prepare($sql)) { // Check for MySQL errors
            $stmt->bind_param('ss', $uname, $pass);
            if ($stmt->execute()) {
                $stmt->close();
                include("graph.php");
            } else { // There is a problem with your SELECT // bind params
                echo "Incorrect";
            }
        } else { // You should handle mysql errors here
            echo "Incorrect";
        }
    } else { // You don't have POST data
        echo "Incorrect";
    }
 ?>

Prepared statements

就像@Kuya一样,您会遇到许多其他问题,Google中有很多有关登录系统实现的教程。

答案 1 :(得分:-1)

您必须像这样在PHP中使用False检查发布请求:

isset()