0

我有一个使用电子邮件和密码设置的数据库,我正在尝试使用下面的代码检查用户名(电子邮件)和密码,以确保它们正确,如果它们不正确则将它们发送到 /cms匹配,弹出框出现。我只是开始工作。你能看到任何会导致这种情况的问题吗?

session_start();

require_once("../mydbpassword.php");
if($_POST['username']) {

$username = $_POST['username'];
$password = $_POST['password'];

$sql = "SELECT * FROM agents WHERE email = '$username' AND pword = '$password'";
$result = mysqli_query($mysqli,$sql);

$email = $row['email'];
$pword = $row['pword'];

if(($username != $email) || ($password != $pword)) {
echo'<script type="text/javascript">
    window.alert("Your login information is wrong, try again!");
    window.location="/cms/login"
    </script>';
}
else {
$row = mysqli_fetch_assoc($result);
$_SESSION['admin'] = $row['$email'];
header("Location: /cmsS");
exit();

}
  }
4

2 回答 2

0

转变

$result = mysqli_query($mysqli,$sql);


$result = mysqli_fetch_assoc(mysqli_query($mysqli,$sql));

此外,您还有很多事情需要修复。像散列密码、安全查询、更好的重定向/错误系统(js 可能被禁用或容易被黑客入侵/更改)。

于 2012-06-30T23:57:19.590 回答
0

该变量可以设置但为空。

if($_POST['username'])

经过

if (!empty($_POST['username']))

防止 MySQL 注入,只获取密码。

$sql = "SELECT * FROM agents WHERE email = '$username' AND pword = '$password'";

经过

$sql = 'SELECT password FROM agents WHERE email = "'.mysql_real_escape_string($username).'"';

正确的 MySQL 字符串关联

$result = mysqli_query($mysqli,$sql);

经过

$result = mysqli_fetch_assoc(mysqli_query($mysqli,$sql));

还有一张真正有意义的支票

if ($password != $pword || empty($pword)) {
    echo'<script type="text/javascript">
    window.alert("Your login information is wrong, try again!");
    window.location="/cms/login"
    </script>';
}
于 2012-07-01T00:05:52.963 回答