1

我正在使用登录/注销/会员页面的在线视频示例,试图为我的网站实现它。我有一个来自 justhost 的实时服务器,我创建了一个数据库并将一些虚拟用户信息放入我的用户表中。我创建了一个 connect.php 文件,它就是这样做的,如果它会连接到我的数据库并且它可以工作,我会发出一条成功消息。当我尝试登录以显示会员页面的链接时,我不断收到一条错误消息,提示我输入的电子邮件未找到,但该电子邮件在数据库表中。我究竟做错了什么?这是 login.php 文件,很抱歉它的长度。

<?php
error_reporting (E_ALL ^ E_NOTICE);
session_start();
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>Member System - Login</title>
</head>
<body>

    <?php

        $form = "<form action='./login.php' method='post'>
        <table>
        <tr>
            <td>Email:</td>
            <td><input type='text' name='user'/></td>
        </tr>
        <tr>
            <td>Password:</td>
            <td><input type='password' name='password'/></td>
        </tr>
        <tr>
            <td></td>
            <td><input type='submit' name='loginbtn' value='Login' /></td>
        </tr>
        </table>
        </form>";

    if($_POST['loginbtn']){
        $email = $_POST['user'];
        $password = $_POST['password'];

        if ($email){
            if ($password){
                require("connect.php");

                $password = md5(md5("sdf5jkl".$password."jfdkSDf4"));

                $query = mysql_query("SELECT * FROM users WHERE email='$email'");
                $numrows = mysql_num_rows($query);
                if($numrows == 1){
                    $row = mysql_fetch_assoc($query);
                    $dbid = $row['id'];
                    $dbpass = $row['password'];
                    $dbemail = $row['email'];
                    $dbactive = $row['active'];

                    if($password == $dbpass){
                        if($dbactive == 1){
                            //set session info
                            $_SESSION['id'] = $dbid;
                            $_SESSION['email'] = $dbemail;

                            echo "You have been logged in as <b>$dbemail</b>.  <a href='./member.php'>Click here</a> to go to the member page.";

                        }
                        else
                            echo "You must activate your account to login. $form";
                    }
                    else
                        echo "You did not enter the correct password. $form";
                }
                else
                    echo "The email you entered was not found. $form";

                mysql_close();
            }
            else
                echo "You must enter your password. $form";
        }
        else
            echo "You must enter your email. $form";
    }
    else
        echo $form;

    ?>

</body>
</html>
4

2 回答 2

1

About halfway down your code, you have these lines:

$query = mysql_query("SELECT * FROM users WHERE email='$email'");
$numrows = mysql_num_rows($query);

Let's change it temporarily to this:

$sql = "SELECT * FROM users WHERE email='$email'";
echo '<pre>'. $sql .'</pre>';
$query = mysql_query($sql);
$numrows = mysql_num_rows($query);
echo '<pre>'. $numrows .'</pre>';

When you try to log in now, you'll probably see something like this at the top of your page:

SELECT * FROM users WHERE email='thenamethatijusttypedin'
2

If the number is equal to 1, then your code should work as you wrote it. If the number is something else, then you can learn more by copying the SQL query above it, then running it in your database platform (i.e.: phpMyAdmin).

As others have mentioned previously, you should clean up your input. You can remove leading and trailing whitespace with the trim($email); command.

Once you feel a bit more confident with coding, you should look into a database query tool called PDO. Right now, your query is vulnerable to something called SQL Injection. If I were to put an apostrophe in the user field, then the query would break. Hackers can use this to break into your website. PDO protects against this and makes writing queries a bit easier.

于 2012-12-11T15:48:23.730 回答
1

I don't see anything wrong with your code in terms of not managing to find the user. Here are a few things to try.

$email = $_POST['user'];
$password = $_POST['password'];

Should be:

$email = mysql_real_escape_string(trim($_POST['user']));
$password = mysql_real_escape_string(trim($_POST['password']));

trim() will remove any extra spaces that could be messing up the query and mysql_real_escape_string() escapes special characters.

If you are getting the the data correctly by checking print_r($_POST) and the query looks fine by running echo "SELECT * FROM users WHERE email='$email'"; or running SELECT * FROM users WHERE email='your_email' in phpmyadmin, then maybe you have duplicate emails in your user table? If you do, you shouldn't. Try removing the duplicate. You should also check the password at the same time you're checking the email. Here's an example:

$query = mysql_query("SELECT * FROM users WHERE email = '$email' AND password = '$password'");

于 2012-12-11T15:49:23.680 回答