php - SELECT * FROM DB where X = Y. 如果没有 = Y，我需要一个 else 语句来做某事

Question

问题是如果您$_POST['username']包含数据库中存在的用户名，则脚本运行良好。如果用户名输入错误，或者除了在数据库中找到的内容之外还输入了其他任何内容，它就会被锁定。

有没有办法构造SELECT一个“else”类型的语句，当发生拼写错误时它会“这样做”......

提前致谢

include('includes/config.php');
if($_REQUEST['do'] == 'login') {
   $postusername = $_POST['username'];
   $result = mysqli_query($con,"SELECT * FROM $sqlusers WHERE 
                            username = '$postusername'");
   while($row = mysqli_fetch_array($result))
   {
      if($_POST['username'] == $row['username'] && 
         $_POST['password'] == $row['password']){

         $logged_username = $row['username'];
         $_SESSION['username']= $logged_username;     
         $_SESSION['active']=1;
         session_write_close;
         //to redirect back to "index.php" after logging out`
         header("location:/index.php"); 
      }
      else {        
         header("Location:login.php?errorMssg=".urlencode("Your Login 
                  Information is incorrect!!"));
      }
   }
}

score 1 · Accepted Answer

试试这个：请查看我所做的更改...

<?php
include('includes/config.php');
if($_REQUEST['do'] == 'login') {
   //check if username and password set
   if(isset($_POST['username']) && isset($_POST['password'])){

     $postusername = mysqli_real_escape_string($_POST['username']);
     $postpassword = mysqli_real_escape_string($_POST['password']);

     $result = mysqli_query($con,"SELECT * FROM $sqlusers WHERE username = '$postusername' and password = '$postpassword' ");

        if(mysqli_num_rows($result) > 0){
           $logged_username = $postusername;
           $_SESSION['username']= $postusername;     
           $_SESSION['active']=1;
           session_write_close;
           //to redirect back to "index.php" after logging out`
           header("location:/index.php");
           exit;
        }
        else {        
           header("Location:login.php?errorMssg=".urlencode("Your Login 
                    Information is incorrect!!"));
          exit;
        }

   }else{
           header("Location:login.php?errorMssg=".urlencode("Enter Username and Password"));
           exit;
   }
}

更新：准备好的声明

<?php
include('includes/config.php');
if($_REQUEST['do'] == 'login') {
   //check if username and password set
   if(isset($_POST['username']) && isset($_POST['password'])){

     $stmt = mysqli_prepare($con,"SELECT * FROM $sqlusers WHERE username = ? and password = ? ");
     mysqli_stmt_bind_param($stmt, 'ss', $_POST['username'], $_POST['password']);
     mysqli_stmt_execute($stmt);
     mysqli_stmt_store_result($stmt);

        if(mysqli_stmt_num_rows($stmt) > 0){
           $logged_username = $postusername;
           $_SESSION['username']= $postusername;     
           $_SESSION['active']=1;
           session_write_close;
           //to redirect back to "index.php" after logging out`
           header("location:/index.php");
           exit;
        }
        else {        
           header("Location:login.php?errorMssg=".urlencode("Your Login 
                    Information is incorrect!!"));
          exit;
        }

   }else{
           header("Location:login.php?errorMssg=".urlencode("Enter Username and Password"));
           exit;
   }
}

score 0 · Accepted Answer

首先，你应该对用户发送的数据进行转义，以防御黑客的sql注入攻击
在将用户存储到数据库之前，您应该保存用户密码并对其进行哈希处理。阅读： http: //php.net/manual/en/faq.passwords.php
如果数据库结果为空（没有给定登录名的用户），您还没有写出要做什么

尝试这个：

<?php
include('includes/config.php');
if ($_REQUEST['do'] == 'login')
{
    $postusername = mysqli_real_escape_string($_POST['username']);
    $result = mysqli_query($con, "SELECT * FROM $sqlusers WHERE username = '$postusername'");
    if (!$result)
    {
        // handle error
    }

    $row = mysqli_fetch_array($result);
    if ($row && $_POST['password'] == $row['password'])
    {
        $logged_username = $row['username'];
        $_SESSION['username'] = $logged_username;
        $_SESSION['active'] = 1;
        session_write_close;
        //to redirect back to "index.php" after logging out`
        header("location:/index.php");
    }
    else
    {
        header("Location:login.php?errorMssg=" . urlencode("Your Login Information is incorrect!!"));
    }
}

score 0 · Accepted Answer

如果查询失败，则返回 false，因此您可以使用类似的代码

$result = mysqli_query($conn,$sql);

然后像

if ($result != false)
    do some crap
else
    do some other crap

在代码中查找 SQL 错误的标准似乎是

$result = mysqli_query($con,"SELECT * FROM $sqlusers WHERE username = '$postusername'") or die (mysqli_error($con));

但我不知道那是不是你要问的。

关于相关说明

您的脚本容易受到 SQL 注入的攻击。请修复它 http://php.net/manual/en/security.database.sql-injection.php

score 0 · Accepted Answer

您的查询是：

  SELECT * FROM $sqlusers WHERE username = '$postusername'

如您的问题中所述，如果“nothing = Y”，即表中没有用户名与发布的用户名匹配，则查询将返回空结果集。用简单的 PHP 术语来说，'if nothing in db = username'，被翻译成：

  if(mysqli_num_rows($result) == 0) { // no rows matches the posted username (nothing = Y, in your words)
       //handle your error here
   } else { // ie, X = Y in your words
        // the while loop to check password goes here
    }

php - SELECT * FROM DB where X = Y. 如果没有 = Y，我需要一个 else 语句来做某事

4 回答 4

Related

Reference