2

我是 PHP 和一般编程的新手,但我正在努力登录。我已经完成了注册页面,并且我的数据库很好地填充了记录。但是,当此代码得到输出时,它说我有 0 行来自 mysql_num_rows($result);... 当我输入正确的用户名/密码时,它应该成功显示 1 行。无论我是否输入了成功的用户/通行证组合,它的输出都是一样的。

感谢您提供的任何帮助,代码如下:

$SQL = "SELECT * FROM account WHERE username = $username AND password = md5($password)";
            $result = mysql_query($SQL);
            $num_rows = mysql_num_rows($result);
            echo $result;
            echo $num_rows;

            // CLOSE CONNECTION
            mysql_close($db_handle);

            // COMPARE $num_rows TO SEE IF A SUCCESSFUL LOGIN, THEN DIRECT TO MEMBERS PAGE

            if ($result) {
                if ($num_rows > 0) {
                    session_start();
                    $_SESSION['login'] = "1";
                    header ("Location: page1.php");
                }   
                    else {
                        $error_message = "Login failed.  Please try again.";
                        echo $num_rows;
4

1 回答 1

1

编辑:完全重写

尝试这个:

<?php



$host = "host";
$user = "user";
$password = "password";
$database = "database";


$username = 'jack'; /* Insert $_Post [''] here with username variable you pass. You could sanitize and validate with for example filter_var (), clean (), etc */
$password_user = 'password from jack'; // same here.

$link = mysqli_connect($host, $user, $password, $database);
        IF (!$link){
        echo ("Unable to connect to database!");
        }

        ELSE{
$query = "SELECT * FROM account WHERE username ='$username' AND password = md5('$password_user')";
            $result = mysqli_query($link, $query);
            $num_rows = mysqli_num_rows($result);
            $row = mysqli_fetch_array($result, MYSQLI_BOTH);

            // COMPARE $num_rows TO SEE IF A SUCCESSFUL LOGIN, THEN DIRECT TO MEMBERS PAGE

            if ($row) {
                    session_start();
                    $_SESSION['login'] = "1"; // pleae not that 1 is converted into a string value
                    $_SESSION['username'] = $username; // added username, just to test.
                    header ("Location: page1.php");
                }   
                    else {
                        $error_message = "Login failed.  Please try again.";
                        echo $error_message;
                    }
            // CLOSE CONNECTION
            mysqli_close($link);            
        }
?>

样本数据:

CREATE TABLE account (
  id INT auto_increment primary key,
  username VARCHAR(30),
  password VARCHAR(50)
  );


INSERT INTO account(username, password)
VALUES 
("bob", md5('password from bob')), 
("jack", md5('password from jack')), 
('joe', md5('password from joe'));

SQL 小提琴演示

示例页面1

<?php
session_start();
$login = $_SESSION['login'];
$username = $_SESSION['username'];

echo '<h1>It WORKS, <i>'.$username.'</i>!!!</h1>';


?>

需要注意的重要一点是,我使用的是 MYSQLI 库而不是 MYSQL 库。如果表中有多个列,则应选择每列的输出。例如,$result['id']

我发现您没有在 SQL 语句中转义变量。我必须注意,我没有调试下面的部分 COMPARE $num_rows 以查看是否成功登录,然后直接发送给会员。我认为您可以自己管理。

WRT 净化和验证你必须做更多的工作。我不知道您的数据是如何通过用户登录表单过去的。假设您将使用 POST。在这种情况下,您可以从页面顶部开始,首先使用 $_POST 检索所有发布的变量。然后过滤它们以确保您的代码没有为 SQL 注入打开。例如 $username = filter_var($_POST['username'], FILTER_SANITIZE_STRING);

于 2013-01-31T02:05:43.537 回答