-2

我正在尝试创建一个给出警告的用户登录表单,这是我的所有脚本

连接.php

<?php

$con = mysql_connect("localhost" , "xxx" , "xxxxxx");
if(!$con)
{
    die('Could Not Connect' . mysql_error());
}
else
{
    echo "User Connect". "<br>";
}
mysql_select_db("xxxx" , $con)
or die('Error: could not connect' . mysql_error());

echo "Database connected" . "<br>";


function dbQuery($sql)
{
    return mysql_query($sql) or die('Query Failed. ' . mysql_error());
}

function dbAffectedRows()
{
    global $dbConn;
    return mysql_affected_rows($dbConn);
}

function dbFetchArray($result, $resultType = MYSQL_NUM)
{
    return mysql_fetch_array($result, $resultType);
}
function dbFetchAssoc($result)
{
    return mysql_fetch_assoc($result);
}
function dbFetchRow($result)
{
    return mysql_fetch_row($result);
}
function dbFreeResult($result)
{
    return mysql_free_result($result);
}
function dbNumRows($result)
{
    return mysql_num_rows($result);
}
function dbSelect($dbName)
{
    return mysql_select_db($dbName);
}

?>

函数.php

<?php
require_once 'connect.php';
    $userName = $_POST['txtUserName'];
    $password = $_POST['txtPassword'];

//$sql = mysql_query("SELECT user_id FROM user WHERE user_name = '$userName' AND user_password = '$password'") or die('error in query!' . mysql_error()); 
$sql = "SELECT user_id FROM user WHERE user_name = '$userName' AND user_password = '$password'"; 


echo $result = dbQuery($sql);

    if(dbNumRows($result)==1){
        $row = dbFatchAssoc($result);
        echo '$row[user_id]';
        }

?>

它在下面的connect.php中给出警告

警告:mysql_num_rows() 期望参数 1 是资源,在 connect.php 中给出布尔值

有人请帮助我,在此先感谢

我添加了整个警告表看看

( ! ) 警告:mysql_num_rows() 期望参数 1 是资源,布尔值在 C:\wamp\www\tb_ad\connect.php 第 48 行调用堆栈中给出

#   Time    Memory  Function    Location
1   0.0032  367408  {main}( )   ..\function.php:0
2   0.0130  385640  dbNumRows( )    ..\function.php:15
3   0.0130  385672  mysql_num_rows ( )  ..\connect.php:48
4

2 回答 2

2

Two things missing here; 1) Parameter sanitising and 2) error checking.

Without converting your app to PDO (which you really should do), try the following

$sql = sprintf("SELECT user_id FROM user WHERE user_name = '%s' AND user_password = '%s'",
    mysql_real_escape_string($_POST['txtUserName']),
    mysql_real_escape_string($_POST['txtPassword']));
$result = mysql_query($sql);
if ($result === false) {
    throw new Exception(mysql_error());
}

You should also be checking

  • If the request method is POST
  • If the txtUserName and txtPassword items are set in $_POST

For development, I'd also recommend putting this at the top of your script (or preferably setting these in php.ini)

ini_set('display_errors', 'On');
error_reporting(E_ALL);

Also, storing plain text passwords is textbook bad. I suggest you do some more reading on software application security. Here's a starting point - https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

于 2012-05-09T05:07:18.090 回答
1

echo $result = dbQuery($sql);如果查询的执行不成功,则此行返回 FALSE。

所以你应该添加类似的东西:

if (!$result)
{
    //handle the error
}
于 2012-05-09T05:12:09.703 回答