-5

我正在尝试创建一个登录系统,但由于某种原因,我的代码中有一个错误,我似乎无法弄清楚它是什么。

    <?php
include "connect.php";
?>

<body>
<?php
if(isset($_POST['submit'])){
$username = $_POST['email'];
$password = $_POST['password'];

$result = mysql_query($con,"SELECT * FROM users WHERE username=$username AND password=$password");
$num = mysql_num_rows($result);
if($num == 0){
echo "Bad login, go <a href='login.php'>back</a>.";
}else{
session_start();
$_SESSION['username'] = $username;
header("Location: index.php");
}
}
?>

    <div class="container">
      <form action='signin.php' method='POST' class="form-signin" >
        <h2 class="form-signin-heading">Please sign in</h2>
        <input type="text" class="input-block-level" placeholder="Email address" name="email">
        <input type="password" class="input-block-level" placeholder="Password" name="password">
        <label class="checkbox">
          <input type="checkbox" value="remember-me"> Remember me
        </label>
        <button class="btn btn-large btn-primary" type="submit" name="submit" value="Login">Sign in</button>
      </form>

这些是提交时的错误:

Warning: mysql_query() expects parameter 1 to be string, object given in C:\xampp-portable\htdocs\bootstrap\signin.php on line 71

Warning: mysql_num_rows() expects parameter 1 to be resource, null given in C:\xampp-portable\htdocs\bootstrap\signin.php on line 72
Bad login, go back.
4

1 回答 1

2

1) 你混淆了 mysql & mysqli 查询。这是

$result = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'");
and
$result = mysqli_query($con,"SELECT * FROM users WHERE username='$username' AND password='$password'");

2)这段代码对sql注入非常危险。在正式使用之前,您需要对其进行消毒。3) 

for the success case, set a session id sth like that: $session_id = session_id(); 
reverse that:
$username=$_SESSION["username"]; 
and use both variables in redirection:
header ("Location: index.php?username=$username&session_id=$session_id");
于 2013-03-31T10:39:20.637 回答