0

I am trying to log in using this code : 

session_start();

require "connect.php";

$username = $_POST['username'];
$password = $_POST['password'];

  if($username&&$password)
 {
$query = mysql_query("SELECT * FROM users WHERE username='$username'");
$numrow = mysql_num_rows($query);

if($numrow!=0)
{
    while($row = mysql_fetch_assoc($query))
    {
        $db_username = $row['username'];
        $db_password = $row['password'];
    }

    if($username==$db_username&&$password==$db_password)
    {
        //echo 1;
        header("Location: members.php");
        $_SESSION['username']=$db_username;

    }
    else echo 0;
}
else die("That user doesn't exist");
    }
     else die("Please enter a username and password");

upon successful log in it should take me to members.php :

 session_start();
 if($_SESSION['username'])  <------ this is line 5
   {
echo "20730312";
echo " You are logged in as: ".$_SESSION['username'];
echo "<p><a href='logout.php'>Click here to logout</a>";
    }

but when i request members.php in my application it gives me :

Notice: Undefined index: username in E:\Program Files\xampp\htdocs\adddrop\members.php on line 5

note that i am using android webview to request members.php after successful log in, is this right ? what am i doing wrong ?

4

4 回答 4

3

附带说明:那里有一个 SQL 注入。可能想阅读更多:http ://en.wikipedia.org/wiki/SQL_injection

您面临的问题是用户名并不总是已发布(当您第一次加载页面时):

$username = isset($_POST['username']) ? $_POST['username'] : null;
$password = isset($_POST['password']) ? $_POST['password'] : null;

那应该解决它。基本上,我检查是否设置了 POST 索引,并且只有当我尝试访问它时才尝试访问它,否则我将其设置为null.

此外,您可能希望这样做:

$query = mysql_query("SELECT * FROM users WHERE username='" . mysql_real_escape_string($username) . "'");

这可以防止 SQL 注入漏洞。

并添加exit;

header("Location: members.php");
$_SESSION['username']=$db_username;
exit; // Add this.
于 2012-05-27T09:23:46.853 回答
0

Same as always. You're not POSTing to the URL. Verify the URL you're attempting to POST to.

于 2012-05-27T09:22:27.040 回答
0

正如它所说,您没有来自 POST 的指定数据。确保您的表单操作正确并且您正在填写用户名。

此外,您可能需要考虑对密码进行哈希处理。从我在这里可以看到,您可以比较纯文本密码(或者您已经在脚本中获得了散列密码,这没关系)。

于 2012-05-27T10:02:10.723 回答
0

也许是这样:

header("Location: members.php");
$_SESSION['username']=$db_username;

应改为(反向):

$_SESSION['username']=$db_username;
header("Location: members.php");
于 2012-05-27T09:53:31.140 回答