0

我有一个登录系统,用户必须登录才能访问主网站。但是,验证不起作用。

主要是password功能不正常。任何建议为什么?

<?php

session_start();

$login = mysql_real_escape_string($_POST['login']);
$password = mysql_real_escape_string($_POST['password']);

if ($login&&$password)
{

$connect = mysql_connect("localhost", "root", "") or die("Couldn't connect");
mysql_select_db("a&e") or die("Couldn't find db");

$query = mysql_query("SELECT * FROM users WHERE login='$login'");

$numrows = mysql_num_rows($query);

if ($numrows==!0)
{
//code to login

while ($row = mysql_fetch_assoc($query))
{
    $dbusername = $row['login'];
    $dbpassword = $row['password'];
}

//check to see if they match
if($login==$dbusername&&$password==$password)
{
$_SESSION['login']=$username;
$_SESSION['password']=$password;
     sleep(5);
    header('Location: nindex.php');
    die(); 
}
else
die ("incorrect password");

}
else
    die("That user does not exist");
}
else
    die("please provide a  username and password");

?>
4

2 回答 2

1

你的代码有问题,试试这个

<?php

session_start();

$login = mysql_real_escape_string($_POST['login']);
$password = mysql_real_escape_string($_POST['password']);

if ($login&&$password)
{

$connect = mysql_connect("localhost", "root", "") or die("Couldn't connect");
mysql_select_db("a&e") or die("Couldn't find db");

$query = mysql_query("SELECT * FROM users WHERE login='".$login."' AND password='".$password."'");

$numrows = mysql_num_rows($query);

    if ($numrows > 0)
    {
    //code to login
        header('Location: nindex.php');
        die(); 
    }
    else
    {
    echo "incorrect username or password";
    }
}
?>
于 2013-04-24T19:07:51.903 回答
0

我注意到了 4 件事。

1)当您检查它们是否匹配时,您将 $password 与 $password 而不是“$dbpassword”进行比较

2) 你为什么叫“sleep(5)”?

3)您需要在存储到数据库之前对密码进行加密,因为如果您的网站被黑客入侵,您的用户密码最终将落入坏人之手。

4)你不应该在会话变量中存储密码(出于安全原因)

于 2013-04-24T19:04:39.813 回答