1

在过去的四天里,我一直在努力让这个工作。这只是一个简单的登录页面,其中没有存储敏感信息,但我遇到了 PHP 问题。

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    $uname = $_POST["login"];
    $pword = $_POST["pass"];
    $uname = htmlspecialchars($uname);
    $pword = htmlspecialchars($pword);
    $user_name = "bradf294_access";
    $password = "********";
    $database = "bradf294_clients";
    $server = "localhost";
    $db_handle = mysql_connect($server, $user_name, $password);
    $db_found = mysql_select_db($database, $db_handle);
    print(mysql_errno());
    print($db_found);
    if(isset($db_found)){
        print($db_found."Success");
        $SQL = "SELECT * FROM basicinfo WHERE ref = $uname AND pass = $pword";
        $result = mysql_query($SQL);
        print("Query made");
        print(mysql_errno());
        if ($result) {
            print("result:".$result);
        }
        else {
            print("Incorrect Login Details");
        }
        if ($result > 0) {
            print("found user");
            $errorMessage= "logged on ";
            session_start();
            $_SESSION['login'] = "1";
            header ("Location: progressuser.php");
        }
        else {
            print("Invalid Logon");
        }
    } else {
        print("Database not found. The Webmaster has been notified. Please try again   later");
        $subject = "Automated login error" ;
        $message = "An error occured whilst trying to connect to the MySQL database, to login to the progress checker" ;
        mail("a-bradfield@bradfieldandbentley.co.uk", $subject, $message);
    }

从我一直用来调试的页面上的输出来看,它似乎是那些似乎不起作用的行,它们给出了 1054 错误 - “'%s' 中的未知列 '%s'”

$SQL = "SELECT * FROM basicinfo WHERE ref = $uname AND pass = $pword";
$result = mysql_query($SQL)

即使我将$SQL字符串复制并粘贴到 phpMyAdmin 中并且效果很好?

有什么明显的我做错了吗?转到http://www.bradfieldandbentley.co.uk/test/progress.php并输入详细信息 Reference:TST001并通过:dnatbtr121自己查看输出。

4

2 回答 2

2

您需要引用变量:

$SQL = "SELECT * FROM basicinfo WHERE ref = '$uname' AND pass = '$pword'";

然而

这些mysql_*功能已被弃用-您应该考虑移至PDOmysqli_*代替。这些都使您更容易编写安全代码,并为您解决引用问题。

于 2012-09-18T18:29:00.373 回答
0

WHERE 条件中的值是否应该被引号包围,就像在普通的 MySQL 语句中一样?是的。此外,您还会收到一堆关于 SQL 注入的评论。

于 2012-09-18T18:28:16.777 回答