我正在寻找用户在尝试登录时是否经过验证,但我做错了什么
$validationsql = mysql_query("SELECT Validation FROM users WHERE Username = '".$username."' AND Password = '".$password."'");
$validationresult = mysql_query($validationsql) or die('error');
if ($validationresult == "'FALSE'")
{
echo "<h1>Validation Error</h1>";
die;
}
你做错了很多事情。对于身份验证,您必须查看您的数据库中是否有客户提交的用户。为此,您必须使用以下内容:
$validationsql = mysql_query("SELECT Validation FROM users WHERE Username = '".$username."' AND Password = '".$password."'"); //Retrives data from database
$usersfound = mysql_num_rows($validationsql) or die('error'); //counts how many records have been retrieved
/*
*If number of data is not 1 (assuming you have unique users) validation fails
*/
if ($usersfound !== 1)
{
echo "<h1>Validation Error</h1>";
die;
}
但是,如果您不使用准备好的语句,则出于安全目的(sql 注入),您必须转义数据。为此,您可以使用mysql_real_escape_string. 在此之后,您的代码将变为:
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$validationsql = mysql_query("SELECT Validation FROM users WHERE Username = '".$username."' AND Password = '".$password."'"); //Retrives data from database
$usersfound = mysql_num_rows($validationsql) or die('error'); //counts how many records have been retrieved
/*
*If number of data is not 1 (assuming you have unique users) validation fails
*/
if ($usersfound !== 1)
{
echo "<h1>Validation Error</h1>";
die;
}
但这并不意味着你做的一切都是正确的。mysql_*功能已弃用。您应该使用其中一个PDO或mysqli_*功能。此外,您必须积极使用准备好的语句。
第一件事就是不要那样存储密码。使用类似MD5或其他散列方法。
试试下面的代码
if (!$validationresult)
{
echo "<h1>Validation Error</h1>";
die;
}
假设您的数据库表中有一个名为“验证”的字段,如果它不存在,请将其更改为SELECT * FROM ...
$validationsql = "SELECT Validation FROM users WHERE Username = '".$username."' AND Password = '".$password."'";
$validationresult = mysql_query($validationsql) or die('error');
if (mysql_num_rows($validationresult) == 0)
{
echo "<h1>Validation Error</h1>";
die;
}
最好使用安全的 mysqli OR PDO。你的代码有很多漏洞