1

我有一个带有用户名和密码登录表单的html页面。当人们输入正确的密码时,它会将他们带到带有账单的 php 页面。如果密码不正确,将显示错误信息,然后退出程序。我让登录功能正常工作。但是,它也影响了我的其他程序。现在每次我尝试在项目/金额行中写一些东西时,它也会显示错误消息并退出程序。我知道这与 $numresult>0 条件有关。当我取消该条件时,我的金额/项目行有效,但登录页面还允许在用户名/密码中输入空白条目以登录。知道如何确保人们必须输入正确的密码(不是空白条目)同时登录,让我在第二页中的项目/金额行表现正常?我的代码如下。抱歉有点长。

</head>

<body style="font-family: Arial, Helvetica, sans-serif; color: black;" onload=>
<h1>My Bills</h1>
<form method=post>

<?php
//*************************************************
//Connect to Database
//*************************************************


//*************************************************
//Verify password and username
//*************************************************
$password = $_POST['password']; //retrieve variables for password and userId
$userid = $_POST['userid'];

$query  = "SELECT * FROM valid_logon WHERE userid = '$userid' AND
           password='$password'";  //get query from database

$result = mysql_query($query);

$numresults = mysql_num_rows($result); //get row number
$row = mysql_fetch_array($result); //get array into variable
$dbuserid = $row['userid'];
$dbpassword = $row['password'];

if ($numresults>0)
{
   if ($userid == $dbuserid && $password == $dbpassword)
   {
       process();
   }   
}else{
   err_msg();
}


//*************************************************
//Error message.
//*************************************************
function err_msg()
{
   print "The username and/or password you have entered are invalid.";
   print "</body>";
   print"</html>";
   exit;
}

//*************************************************
//Write out records with data if they exist.
//*************************************************
function process()
{
  print "<table>";
  print "<tr><th>Item</th><th>Amount</th></tr>";

  $action = $_POST['action'];

  if ($action == 'update')
  {
$write_ctr = 1;

// Delete all rows in the table

$query  = "DELETE FROM n1417_expenses ";

$result = mysql_query($query);

if (mysql_error()) {
    echo("<br>MySQL Error - Cannot delete from table: ".mysql_error());
    echo("<br>SQL Statement: ".$query);
}


// Loop through table and insert values into the database

while (true)
{
    $item_name = 'item'."$write_ctr";
    $item_value = $_POST[$item_name];

    $amount_name = 'amount'."$write_ctr";
    $amount_value = $_POST[$amount_name];

    if (empty($item_value)) 
    {
        break;
    }

    // Insert an item to the table
    if(!is_numeric($amount_value))
    { 
        print "<font color=red>I'm sorry, amount \"".$amount_value."\" is not a valid number.</font><br>\n";
    }else{

        $query  = "INSERT INTO n1417_expenses (item, amount) 
                  VALUES('".$item_value."','".$amount_value."') ";

        $result = mysql_query($query);
    }

    if (mysql_error()) 
    {
        echo("<br>MySQL Error - Cannot insert a row into table: ".mysql_error());
        echo("<br>SQL Statement: ".$query);
    }

    $write_ctr++;
}

 }



//*************************************************
//Now Select from table and Display
//*************************************************

$err_cnt = 0;
$read_ctr = 1;

$query  = "SELECT item, amount FROM n1417_expenses ";

$result = mysql_query($query);

if (mysql_error()) {
echo("<br>MySQL Error- Cannot select from table: ".mysql_error());
echo("<br>SQL Statement: ".$query);
}

if (!empty($result))
{
$rowresults = mysql_num_rows($result);

if ($rowresults > 0)
{
    for ($read_ctr=1; $read_ctr<=$rowresults; $read_ctr++)
    {
        $row = mysql_fetch_array($result);

        $item_value = $row['item'];
        $item_name = 'item'."$read_ctr";

        $amount_value = $row['amount'];
        $amount_name = 'amount'."$read_ctr";

        print "<tr>";
        print "<td><input type=text name=$item_name value='$item_value'></td>\n";
        print "<td><input type=text name=$amount_name value='$amount_value'></td>\n";
        print "<td>";
        print "</tr>";

        $total_amt = $total_amt + $amount_value;

    }
}
}



//*************************************************
//Now write the blank lines
//*************************************************

for ($i = $read_ctr; $i < $read_ctr + 2; $i++)
{

    $item_name = 'item'."$i";
$amount_name = 'amount'."$i";

print '<tr>';
print "<td><input type=text name=$item_name value=''></td>\n";
print "<td><input type=text name=$amount_name value=''></td>\n";
print '</tr>';
}

print "</table>";
print "<br>Total Bills: $total_amt";

}
?>

<br><input type=submit value=Submit>
<br<br>

<!--  Hidden Action Field -->
<input type=hidden name=action value=update>

</form>
4

1 回答 1

1

要回答发布的问题,您的问题似乎是当您的用户提交表单时再次检查用户名和密码。因为这些字段不存在,所以查询会找到零行,从而触发您的错误消息。

有很多方法可以解决您的问题,其中一种方法是使用Session来记住用户已登录。这可以通过更改密码检查来实现,如下所示:

session_start();

if (!isset($_SESSION['logged_in']) || !$_SESSION['logged_in']) 
{

    $password = $_POST['password']; //retrieve variables for password and userId
    $userid = $_POST['userid'];

    $query  = "SELECT * FROM valid_logon WHERE userid = '".mysql_real_escape_string($userid)."' AND
               password='".mysql_real_escape_string($password)."'";  //get query from database

    $result = mysql_query($query);

    $numresults = mysql_num_rows($result); //get row number
    $row = mysql_fetch_array($result); //get array into variable
    $dbuserid = $row['userid'];
    $dbpassword = $row['password'];

    if ($numresults>0)
    {
       if ($userid == $dbuserid && $password == $dbpassword)
       {
           $_SESSION['logged_in'] = TRUE;
           process();
       }   
    }else{
       err_msg();
    }
}

我使代码尽可能地与原始代码相似,但我将回应上面关于保护 SQL 调用的必要性的评论。如果可能的话,看看使用PDO,或者至少像上面那样开始使用mysql_real_escape_string 。

于 2012-05-14T01:48:50.513 回答