-2

我正在开发一个基本的登录系统。我使用了很多资源,很多地方的代码都是从其他在线登录系统中提取的。loginpage.html问题是,当我输入用户名和密码并将其重定向到这个文件时,我简单而优雅地得到一个完全空白的页面,BLANK PAGE。

<?php
error_reporting(E_ALL ^ E_NOTICE);
include 'connectingshit.php'; 

//Basically naming a session and starting one
session_name('litLogin');

//The cookie is going to live for 2 weeks
session_set_cookie_params(2*7*24*60*60);

//Now we actually start the session
session_start();
ob_start();
if($_SESSION['id'] && !isset($_COOKIE['RemainLoggedIn']) && !$_SESSION['rememberMe'])
{
    // If you are logged in, but you don't have the cookie (browser restarts)
    // and you have not checked the rememberMe checkbox:
    $_SESSION = array();
    session_destroy();
    // Destroy the session
}

if(isset($_POST['submit'])) 
{
    //I hope I know what I am doing, this is supposed to hold our errors.
    $errors = array();

    if(!$_POST['username'] || !$_POST['password'])
        $errors[] = 'All the fields must be filled in buddyboy!';
    if(!count($errors)) 
    {
      //Assigning the input form shit to the variables/strings or wtf they are
      $tinkerbells_username = $_POST['username'];
      $tinkerbells_password = $_POST['password'];
      $_POST['rememberMe'] = (int)$_POST['rememberMe'];

      // We remove all dangerous characters (!!!!) WTF? Escaping them "WOW"...
      $tinkerbells_username = stripslashes($tinkerbells_username);
      $tinkerbells_password = stripslashes($tinkerbells_password);
      $tinkerbells_username = mysqli_real_escape_string($conn, $tinkerbells_username);
      $tinkerbells_password = mysqli_real_escape_string($conn, $tinkerbells_password);

      $row = mysqli_fetch_assoc('SELECT id, username, password FROM members WHERE username = "$niloquieroser_username" AND password = "$niloquieroser_password"');

      //Does basically the username exist when $row lookes for it in the database
      if(($row['username']) && ($niloquieroser_username == $tinkerbells_username && $niloquieroser_password == $tinkerbells_password))
      {
    //Now fortunately or unfortunatley if it did work and everything is fine
    //We can continue.....
    $_SESSION['username'] = $row['username'];
        $_SESSION['id'] = $row['id'];
    $_SESSION['rememberMe'] = $_POST['rememberMe'];

    //We store some data in the session
    setcookie('RemainLoggedIn',$_POST['rememberMe']);
    //cookie gets created
  }
  else $errors[]=("Wrongs username or/and password!");
    }
    header("Location: success.html");
    exit;
}
ob_end_flush();
?>
4

2 回答 2

2
$row = mysqli_fetch_assoc('SELECT id, username, password FROM members WHERE username = "$niloquieroser_username" AND password = "$niloquieroser_password"');

MySQL 字符串应该是单引号;您调用mysqli_fetch_assoc的是字符串,而不是查询对象;您的变量不会被插值,因为 PHP 字符串使用单引号。并不是说您无论如何都应该对它们进行插值;使用准备好的语句。

另外,请散列你该死的密码。

于 2012-12-08T16:56:04.337 回答
0

首先,修复您的查询。如果不使用双引号定义字符串,则无法在字符串中嵌入 php 值:

$query = "SELECT id, username, password FROM members WHERE username = '$niloquieroser_username' AND password = '$niloquieroser_password'";

您想使用mysqli_query()来获取mysqli_result集。然后你可以像这样循环:

$result = mysqli_query($link, $query);
while($row = mysqli_fetch_assoc($result)) {
    //echo $row['username'];
    ...
}

如果您设法使脚本正常工作,请注意,即使用户名/密码无效,您仍然会将它们重定向到success.html. 您应该将header("Location: success.html");其放入if仅检查结果集的行中,如果未找到该行,则回显错误消息。

于 2012-12-08T17:20:30.553 回答