1

您好,我正在处理登录页面,我遇到的问题是,当我输入用户名并登录时,页面更改为回显错误的用户名或密码。

它似乎没有进入 login_success.php,这导致认为问题出在 sql 语法上,但我还没有找到原因的答案。我还认为可能是 if($count==1){ 并尝试 ($count>1){ 没有成功。

我已经在网上搜索并尝试了几种不同的方法,但没有任何效果。我是新手,将研究停止 sqlinjection 的方法,但是该站点尚未上线,仅用于练习:) 这个社区对我的学习有很大帮助,提前谢谢大家

HTML 登录页面.html

<form id=login name="login" action="login.php" method="post">
   <fieldset id=fs>
      <legend>Vault Security Console:</legend>
      <!-- legeng tage creates a header title for the fieldset box, filedset pulls all data in the tag to gether with a box around it. -->
      UserName: <input type="text" name="username"> <br>
      Password: <input type="password" name="password"> <br>
      <input type="submit" value="Login"> <input type="submit" value="Register"> 
   </fieldset>
</form>

php-Login.php

<?php
   // Create connection
   $con=mysqli_connect('172.16.254.111',"user","password","Faults"); //(connection location , username to sql, password to sql, name of db)

   // Check connection
   if (mysqli_connect_errno($con))
   {
    echo "Failed to connect to MySQL: " . mysqli_connect_error();
   }
   //below is the variables from the login form
   $username = $_POST['username'];

   $password = md5(strip_tags($_POST['password']));

   $sql="SELECT * FROM Users WHERE username='.addslashes($username).' and password='.addslashes($password).'";
   $result=mysqli_query($sql);   

   //Mysql_num_row is counting table row
   $count=mysqli_num_rows($result);   

   if($count==1){   
   session_register("username");
     session_register("password"); 
   header('location:login_success.php');
   }
   //if false echo below
   else {
    echo "<H2>Wrong Username or Password</H2>";
   }   
?>
4

3 回答 3

1

试试这个。

<?php
  //below is the variables from the login form
  $username = mysqli_real_escape_string($con, $_POST['username']);
  $password = md5($_POST['password']);

  $sql="SELECT * FROM Users WHERE username='$username' and password='$password'";
  $result=mysqli_query($sql);   
?>
于 2013-07-04T13:22:16.690 回答
0 
$sql="SELECT * FROM Users WHERE username='".addslashes($username)."' and password='".addslashes($password)."'";

请如上修改您的查询语句。

于 2013-07-04T12:39:56.037 回答
0

我认为用户名或密码有问题。
您必须按照以下步骤操作:-

  1. 选择登录用户对应的密码
  2. 将其与您的脚本生成的编码密码进行比较
 $username = mysqli_real_escape_string($con, $_POST['username']);
 $recievedPassword = md5($_POST['password']);

$qry="select password from Users where username=$username";
$row=mysqli_query($qry);

$result=mysqli_fetch_assoc($result);
$dbPassword=$result['passsword'];

if($recievedPassword==$dbPassword){
    echo "password matched"; 
}
else{
    echo "password mismatch, Please not encryped in db or there is any space..";
}
于 2013-07-04T15:24:33.360 回答