0

我正在创建一个链接到数据库的登录名,当输入信息时,登录名会运行一个空白页面并且什么都不做,下面是我的代码:

    include "conn.php";
    session_start();

    $email_address = $_POST['email_address'];
    $password = $_POST['password'];

    if ($email_address && $password)
    {
    $connect = mysql_connect("computing","i7906890","password") or die ("couldn't   connect!");
    mysql_select_db("i7906890") or die ("couldn't find database");
$guery = mysql_query("SELECT * FROM UserAccount WHERE email_address = '$email_address'");

if ($numrows!=0) {
   //code to login
   while ($row = mysql_fetch_assoc($query)) //Password Check
   {
       $dbemail_address = $row['email_address']
       $dbpassword = $row['password']
   }
   //Check if they match
   if ($email_address==$dbemail_address&&$password==$dbpassword)
   {
      echo "You're in! <a href='user_page.php'>click</a> here to enter the members page";
      $_SESSION['user']==$dbemail_address;
   }
   else
      echo "Incorrect Password!";
}
else
   die("That user doesn't exist!");
}
else
   die("Please enter an email address and password!"); 
?>

这也是我的表格

<form action = "login2.php" method ="POST">
        <p><img src="images/space.gif" width="70px" height="1px"/><strong>Log in</strong> or <a href="register_form.php"><strong>Register</strong></a><br>
            Email:<img src="images/space.gif" width="34px" height="1px"/><input type="text" name="user" size="33"> <br>
            Password:<img src="images/space.gif" width="10px" height="1px"/><input type="password" name="password" size="33"> <br>
        <div align="center">
        <input type="submit" value="Log in" class="button">
        </div>
    </p>
    </form>

请帮忙!求救

4

2 回答 2

2

;在代码中遗漏了一些内容,导致脚本出错并且不显示任何内容。(特别是在while循环中,但也要检查其他地方。)

编辑:您可能还需要考虑while完全丢失该循环并将密码条件放在 SQL 语句中以获得更好的性能。就像其他海报所说的那样,注意 SQL 注入。

于 2013-03-14T13:40:13.570 回答
0

Please help! SOS是的,你深陷其中......但不是你所期望的......

即使您的代码运行良好,您也是第 5 或第 6 个提出大致相同问题的人,在 PHP 登录表单中使用已弃用的mysql_函数进行SQL 注入...

而且,$guery不一样$query...检查qg字母...

这一行:

$guery = mysql_query("SELECT * FROM UserAccount WHERE email_address = '$email_address'");

至少应该是

$query = mysql_query("SELECT * FROM UserAccount WHERE email_address = '".mysql_real_escape($email_address)."'");

既要正确,又要避免注射...

但是你真的应该通过 PDO 使用准备好的语句,如下所示:

try {
    //open connection, this is different than in the old functions
    $dbh = new PDO('mysql:host=localhost;dbname=test', $user, $pass);

    //***running query
    //**step1: create statement
    $stmt = $dbh->prepare('SELECT * FROM UserAccount WHERE email_address = :email'); //notice parameter prefixed with ':'

    //**step2: bind values (be sure to also check out the bindParameter() function too!)
    $stmt->bindValue(':email', $email_address);

    //**step3: exexcute statement
    $stmt->execute();

    //**step4: process results
    $result = $stmt->fetch(PDO::FETCH_OBJ);

    if($result->PASSWORD==$password) {
      //logged in, do whatever reuqired
    }

    $dbh = null; //don't let it slip out of our hands
} catch (PDOException $e) {
    print "Error!: " . $e->getMessage() . "<br/>";
    die();
}

另外,还有一点要注意:不要存储明文密码。如今,即使存储 MD5 哈希值也超出了范围,并且 SHA1 也被宣布为弱......

于 2013-03-14T13:41:14.930 回答