2

当用户单击登录时,我有一个登录表单 checklogin.php 被调用,它应该检查用户名和密码是否匹配数据库上的任何记录,如果为真,则执行其他操作打印错误的密码或用户名

到目前为止,我得到了错误的密码用户名,即使它是正确的用户名&&密码。我做了一些更改,但现在没有 echo、printf 或错误

我该如何解决这个问题?

形式

<table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<form name="form1" method="post" action="checklogin.php">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<td colspan="3"><strong>Member Login </strong></td>
</tr>
<tr>
<td width="78">Username</td>
<td width="6">:</td>
<td width="294"><input name="myusername" type="text" id="myusername"></td>
</tr>
<tr>
<td>Password</td>
<td>:</td>
<td><input name="mypassword" type="text" id="mypassword"></td>
</tr>
<tr>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td><input type="submit" name="Submit" value="Login"></td>
</tr>
</table>
</td>
</form>
</tr>
</table>

检查登录.php

<?php

    $mysqli = new mysqli('localhost', 'root', 'password', 'aiesec');

    /* check connection */
    if (mysqli_connect_errno()) {
        printf("Connect failed: %s\n", mysqli_connect_error());
        exit();
    }


    // username and password sent from form
    $myusername=$_POST['myusername'];
    $mypassword=$_POST['mypassword'];

    // To protect MySQL injection (more detail about MySQL injection)
    $myusername = stripslashes($myusername);
    $mypassword = stripslashes($mypassword);
    $myusername = mysqli_real_escape_string($myusername);
    $mypassword = mysqli_real_escape_string($mypassword);



    // If result matched $myusername and $mypassword, table row must be 1 row


    $sql = "SELECT * FROM members WHERE username='$myusername' and password='$mypassword"; 
    if($result = mysqli->query($sql, MYSQLI_USE_RESULT)) 
    { 
        printf("Errormessage: %s\n", $mysqli->error);
        echo $result->num_rows; //zero 
        while($row = $result->fetch_row()) 
        { 
            printf("Errormessage: %s\n", $mysqli->error);
            echo $result->num_rows; //incrementing by one each time 
        } 
        echo $result->num_rows; // Finally the total count 
    }



    if($row==1){

        echo "correct username and pass";
        // Register $myusername, $mypassword and redirect to file "login_success.php"
       // session_register("myusername");
        //session_register("mypassword");
        //header("location:login_success.php");
    }
    else {
        echo "Wrong Username or Password";
    }


           mysqli_close();     

    ?>

我也试过

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysqli_query($sql);

// Mysql_num_row is counting table row
$count=mysqli_num_rows($result);
4

3 回答 3

3

为确保您看到所有 PHP 错误,请在脚本顶部添加以下代码: 

error_reporting(E_ALL);
ini_set('display_errors', 1);

您必须更正对 的调用mysqli_real_escape_string。根据文档,必须有两个参数,第一个参数必须是 MySQL 链接。在您的情况下,该链接将是 $mysqli。

另外,更换: 

if($row==1){

和: 

if($result->num_row==1){

您误解了 $result->num_rows 是什么:它包含查询返回的总行数,其结果存储在 $result 中。因此,在您检索查询返回的所有记录的循环中检查 $result->num_rows 的值是没有用的。

MYSQLI_USE_RESULT从您的常量中删除了该常量,query()因为mysqli_query 的文档说:
如果您使用 MYSQLI_USE_RESULT,所有后续调用都将返回错误命令不同步,除非您调用 mysqli_free_result()。

新代码: 

<?php
    $mysqli = new mysqli('localhost', 'root', 'password', 'aiesec');

    /* check connection */
    if (mysqli_connect_errno()) {
        printf("Connect failed: %s\n", mysqli_connect_error());
        exit();
    }

    // cleanup POST variables
    $myusername = mysqli_real_escape_string($mysqli, stripslashes(trim($_POST['myusername'])));
    $mypassword = mysqli_real_escape_string($mysqli, stripslashes(trim($_POST['mypassword'])));

    // If result matched $myusername and $mypassword, table row must be 1 row
    $sql = "SELECT * FROM members WHERE username='$myusername' and password='$mypassword'"; 
    $result = mysqli->query($sql);
     if($mysqli->errno<>0)
        die("Errormessage: %s\n", $mysqli->error);
    echo $result->num_rows;
    if($result->num_rows==1){
        echo "correct username and pass";
        // Register $myusername, $mypassword and redirect to file "login_success.php"
       // session_register("myusername");
        //session_register("mypassword");
        //header("location:login_success.php");
    }
    else {
        echo "Wrong Username or Password";
    }
    mysqli_close();     
?>
于 2012-07-07T00:30:34.363 回答
0

第一个错误,您没有在 $mypassword 之后关闭报价:

$sql = "SELECT * FROM members WHERE username='$myusername' and password='$mypassword";

然后,如果这个 if 没有被输入,$row 将不会被定义,并且会在以后造成麻烦:你应该至少添加 "$row = 0"

$row = 0;

if($result = mysqli->query($sql, MYSQLI_USE_RESULT)) 
{ 
    printf("Errormessage: %s\n", $mysqli->error);
    echo $result->num_rows; //zero 
    while($row = $result->fetch_row()) 
    { 
        printf("Errormessage: %s\n", $mysqli->error);
        echo $result->num_rows; //incrementing by one each time 
    } 
    echo $result->num_rows; // Finally the total count 
}

最后,你确定这里的 $row 是 1 吗?你试过了吗

echo "Row is: ";

var_dump($row);

if($row==1){

编辑: $row 似乎实际上是最后一行;你会想要 $result->num_rows 。

从架构的角度来看,像这样将密码存储在数据库中并不是一个好主意,最好(至少)存储“盐渍哈希”或使用更好的算法,请参阅:

如何在 PHP 中使用 bcrypt 对密码进行哈希处理?

于 2012-07-07T00:34:18.400 回答
0

$mypassword您的$sql变量后面缺少一个单引号。

这一行:

$sql = "SELECT * FROM members WHERE username='$myusername' and password='$mypassword";

将其更新为:

$sql = "SELECT * FROM members WHERE username='$myusername' and password='$mypassword'";
于 2012-07-07T00:30:52.163 回答