0

我有以下代码:

session_start ();
include 'core/init.php';

$username = '';
$password = '';
$dbusername = '';
$dbpassword = '';
if (isset($_POST['Email']) && isset($_POST['Password']))
{
    $username = $_POST['Email'];
    $password = md5($_POST['Password']);

    $query = mysql_query("SELECT * FROM member WHERE Email ='$username' AND Password='$password'");

    $numrow = mysql_num_rows ($query);
    // user login
    if ($numrow!=0)
    {
        while ($row = mysql_fetch_assoc($query))
        {
            $dbusername = $row['Email'];
            $dbpassword = $row['Password'];
        }

        //Check to see if they match
        if ($username==$dbusername&&$password==$dbpassword)
        {
            $_SESSION ['Email']=$username;
            header('Location: member.php?username='.$username);
        }
    }
    else 
    {
        // admin login
        $query2 = mysql_query("SELECT * FROM admin WHERE Email ='$username' AND Password ='$password'");
        $numrow2 = mysql_num_rows ($query2);
        if ($numrow2!=0)
        {
            while ($row = mysql_fetch_assoc($query2))
            {
                $dbusername = $row['Email'];
                $dbpassword = $row['Password'];
            }

            //Check to see if they match
            if ($username==$dbusername&&$password==$dbpassword)
            {
                $_SESSION ['Email']=$username;
                header("Location: admin.php");
            }else{
                if (empty ($username) === true|| empty($password) === true) {
                    echo "Please enter a username and password";
                } else if ($username!=$dbusername){
                    echo "That user does not exist! Have you registered?";
                } else if ($username=$dbusername&&$password!=$dbpassword) {
                    echo "Incorrect password";
                }
            }
        }
    }
}

但是,如果用户登录不正确,则不会显示任何错误消息,只是一个空白页,我认为这是我的大括号,但无论我更改多少次,我要么让它变得更糟,要么根本没有。谁能告诉我我做错了什么?

4

3 回答 3

2

查看:

if (empty ($username) === true|| empty($password) === true) {
                echo "Please enter a username and password";
                    } else if ($username!=$dbusername){
                        echo "That user does not exist! Have you registered?";
                    } else if ($username=$dbusername&&$password!=$dbpassword) {
                            echo "Incorrect password";
                    }

            }

此部分包含登录错误,可在“管理员登录”部分中找到,因此当非管理员用户登录失败时不会出现错误。

于 2013-03-29T14:00:58.913 回答
0 
$query = mysql_query("SELECT * FROM member WHERE Email ='$username' AND Password='$password'");

    if(mysql_num_rows($query) == 0){
     echo 'You have entered wrong username/password'; }else {

      // you can continue with your query below.
于 2013-03-29T14:08:50.987 回答
0

您的 select 语句已经确保提供的用户名和密码与数据库中的内容匹配。无需在 PHP 中进行第二次比较。您的代码可能只是以下内容:

if (isset($_POST['Email']) && isset($_POST['Password']))
{
    $username = $_POST['Email'];
    $password = md5($_POST['Password']);

    $query = mysql_query("SELECT * FROM member WHERE Email ='$username' AND Password='$password'");

    if(mysql_num_rows($query) == 1)
    {
        $_SESSION['Email'] = $username;
        header('location: member.php?username='.$username);
    }
    else 
    {
        // try admin login
        $query2 = mysql_query("SELECT * FROM admin WHERE Email ='$username' AND Password ='$password'");
        if(mysql_num_rows($query2) == 1)
        {
            $_SESSION['Email'] = $username;
            header("location: admin.php");
        }
        else
        {
            echo "Failed Login Attempt";
        }
    }
}

由于您的查询仅返回用户名和密码匹配的记录,因此您永远不会在用户名匹配但密码不匹配的地方得到结果,因此您在管理员登录结束时进行的条件检查将永远不会发生。

作为旁注,通知用户用户名正确但密码不正确是一种不好的形式,反之亦然。这是一个安全问题,可能使恶意用户更容易获得访问权限。不过,这不是重点,因此请仅将此建议视为个人建议,而不是针对您的问题。

于 2013-03-29T14:23:06.740 回答