0

首先,我是 php 新手。我也是 MySQL 的新手,所以对我要温柔。其次,我知道 mysql_* 已贬值,一旦我了解更多,这将在稍后修复。

所以我有以下代码:

        if(isset($_POST['email']) && !empty($_POST['email']) AND isset($_POST['password']) && !empty($_POST['password'])){
            $email = mysql_escape_string($_POST['email']);
            $password = mysql_escape_string($_POST['password']);

            $search = mysql_query("SELECT * FROM users WHERE email='".$email."' AND password='".$password."' AND active='1'") or die(mysql_error()); 
            $match  = mysql_num_rows($search);

            if($match > 0){
                $user=$search['forename'] .' '.$search['surname'];
                $_SESSION['username']=$user;
                $msg = 'Login Complete! Thanks, '.$user.'!';
            }else{
                $msg = 'Login Failed!<br /> Please make sure that you enter the correct details and that you have activated your account.';
            }
        }

很简单,我正在检查电子邮件和密码是否匹配(我知道这不是散列密码……再说一次,这不是问题,因为它是一个测试)。如果他们这样做了,并且帐户已被激活,那么我想返回用户的名字和姓氏(用户表中的名字/姓氏)并将它们存储在会话变量中。如果该变量 isset,我想使用此信息来确认用户已登录(因此可以访问某些页面)。但是,此测试不返回用户名,而是输出:

登录完成!谢谢, !

任何帮助,将不胜感激。

4

3 回答 3

1

请记住返回的值mysql_query是资源,因此您需要将结果行作为关联数组获取。

while ($row = mysql_fetch_assoc($search)) 
{
    $user=$row['forename'] .' '.$row['surname'];
    $_SESSION['username']=$user;
}

作为旁注,SQL Injection如果变量的值(s)来自外部,则查询很容易受到攻击。请看下面的文章,了解如何预防。通过使用PreparedStatements,您可以摆脱在值周围使用单引号。

于 2013-02-27T14:10:51.183 回答
0

你需要做$row = mysql_fetch_array($search);

进而

$user=$row['forename'] .' '.$row['surname'];
于 2013-02-27T14:10:48.563 回答
0

你替换你的代码 / * ** * ** * ** * ***你的代码* *** / if(isset($_POST['email']) && !empty($_POST['email']) AND isset($_POST['password']) && !empty($_POST['password'])){ $email = mysql_escape_string($_POST['email']); $password = mysql_escape_string($_POST['password']);

        $search = mysql_query("SELECT * FROM users WHERE email='".$email."' AND password='".$password."' AND active='1'") or die(mysql_error()); 
        $match  = mysql_num_rows($search);

        if($match > 0){
            $user=$search['forename'] .' '.$search['surname'];
            $_SESSION['username']=$user;
            $msg = 'Login Complete! Thanks, '.$user.'!';
        }else{
            $msg = 'Login Failed!<br /> Please make sure that you enter the correct details and that you have activated your account.';
        }
    }

/ * ** * ** * ** * ***我的代码* *** /

    if(isset($_POST['email']) && !empty($_POST['email']) AND isset($_POST['password']) && !empty($_POST['password'])){
        $email = mysql_escape_string($_POST['email']);
        $password = mysql_escape_string($_POST['password']);

        $search = mysql_query("SELECT * FROM users WHERE email='".$email."' AND password='".$password."' AND active='1'") or die(mysql_error()); 
        $match  = mysql_num_rows($search);

        if($match > 0){
            $search = mysql_fetch_array($search); 
            $user=$search['forename'] .' '.$search['surname'];
            $_SESSION['username']=$user;
            $msg = 'Login Complete! Thanks, '.$user.'!';
        }else{
            $msg = 'Login Failed!<br /> Please make sure that you enter the correct details and that you have activated your account.';
        }
    }
于 2013-02-27T14:14:09.990 回答