0

首先,我只想对您的帮助表示感谢!我刚加入这个网站,你们中的很多人都非常有帮助和耐心!(:

所以,我的问题是登录表单。即使输入了错误的信息,它也允许我登录。我是 pdo 的新手,我刚刚将所有 Mysql 函数转换为 pdo,所以我很肯定我在某个地方出错了。

这是我的登录脚本:

<?php
//Login script
if (isset ($_POST["user_login"]) && isset($_POST["password_login"])) {
$user_login = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["user_login"]); //filter everything but numbers and letters
$password_login = preg_replace('^A-Za-z0-9)#i','', $_POST["password_login"]); //filter everything but numbers and letters
$password_login=md5($password_login);
$db = new PDO('mysql:host=localhost;dbname=socialnetwork', 'root', 'password');
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "SELECT id FROM users WHERE username = '$user_login' AND password = '$password_login' LIMIT 1";
$db->prepare($sql);
if ($db->execute(array(
'$user_login' => $user_login,
'$password_login' => $password_login))); {
    if ($sql->rowCount() > 1){
        while($row = $sql->fetch($sql)){
            $id = $row["id"];
        }
        $_SESSION["id"] = $id;
        $_SESSION["user_login"] = $user_login;
        $_SESSION["password_login"] = $password_login;
        exit("<meta http-equiv=\"refresh\" content=\"0\">");
    } else {
        echo 'Either the password or username you have entered is incorrect. Please check them and try again!';
        exit();
    }
 }
 }
?>

这是表格:

<form action="home.php" method="post">
            <center><input type ="text" size="25" name="User_login" id="user_login" placeholder="username"/>
            <input type ="password" size="25" name="user_password" id="user_password" placeholder="password"/><br />
            <input type ="submit" name="button" id="button" value="login to your account!"/></center>
            </form>

有想法该怎么解决这个吗?

4

2 回答 2

0 
if ($sql->rowCount() > 1){

该代码无效,$sql字符串也是如此。我认为你应该有一个$stmt = $db->prepare( ... );声明,然后$stmt->rowCount改为(但我不是 100% 肯定)。

于 2013-06-25T20:40:00.263 回答
-1

PDO 准备好的语句看起来像(例如):

<?php
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username AND password = :password");
$stmt->bindValue(":username", $_POST['username']);
$stmt->bindValue(":password", md5($_POST['password']));
$stmt->execute();
$result = $stmt->fetchAssoc();

var_dump($result);
?>

你所拥有的不是准备好的陈述。看看这是否有帮助...

<?php
//Login script
if (isset ($_POST["user_login"]) && isset($_POST["password_login"])) {
$user_login = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["user_login"]); //filter everything but numbers and letters
$password_login = preg_replace('^A-Za-z0-9)#i','', $_POST["password_login"]); //filter everything but numbers and letters
$password_login=md5($password_login);
$db = new PDO('mysql:host=localhost;dbname=socialnetwork', 'root', 'password');
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

try {
  $user_id = false;
  $stmt = $db->prepare("SELECT id FROM users WHERE username = :user_login AND password = :password_login LIMIT 1");
  $stmt->bindValue(':user_login', $user_login);
  $stmt->bindValue(':password_login', $password_login);
  $stmt->bindColumn('id', $user_id);
  $stmt->execute();
  $row = $stmt->fetchAssoc();
  if($user_id){
    $_SESSION["id"] = $user_id;
    $_SESSION["user_login"] = $user_login;
    $_SESSION["password_login"] = $password_login;
    echo '<meta http-equiv="refresh" content="0">'; // see below
    // exit("<meta http-equiv=\"refresh\" content=\"0\">"); // this is WRONG!
  } else {
    echo 'Either the password or username you have entered is incorrect. Please check them and try again!';
    exit();
  }
} catch(PDOException $e) {
  die("PDO Exception: {$e->getMessage()}");
} catch(Exception $e) {
  die("Exception: {$e->getMessage()}");
}
?>

看到你准备好的陈述和我的不同了吗?您的查询更多的是编译查询,而不是准备好的语句(即使您正在使用该prepare方法)。

于 2013-06-25T20:25:55.317 回答