1

我一直遇到 PHP 说“我们很抱歉无法让您登录”的错误。根据我设置的条件之一,即使登录正确,因此我为避免 SQL 注入而准备的系统失败。

所以我的代码是这样的:

global $connected;

$post = filter_var_array($_POST, FILTER_SANITIZE_STRING);
$pwwd = $post['password'];
$usrn = $post['username'];
$usrn = mysqli_real_escape_string($connected, $usrn);
$pwwd = mysqli_real_escape_string($connected, $pwwd);

if (strlen($usrn) != 0 && strlen($pwwd) != 0 && !empty($post)) {
    $usrn = stripslashes($usrn);
    $pwwd = stripslashes($pwwd);
    $hashFormat = '$2ysomenumber$';
    $salt = 'somehashobviously';
    $hashF_and_salt = $hashFormat.$salt;
    $pwwd = crypt($pwwd, $hashF_and_salt);

    if (!mysqli_connect_errno()) {
        mysqli_select_db($connected, 'someDbname') or die('Database   select error');
    } else {
        die('Failed to connect to PHPMyAdmin').mysqli_connect_error();
    }

    $query = "SELECT Username, Password FROM users WHERE Username=? AND     Password=?";

    $stmt = mysqli_stmt_init($connected);

    if (mysqli_stmt_prepare($stmt, $query)) {
        //Some error in here somewhere

        mysqli_stmt_bind_param($stmt, "ss", $usrn, $pwwd);
        mysqli_stmt_execute($stmt);

        mysqli_stmt_fetch($stmt);

        mysqli_stmt_bind_result($stmt, $check_usrn, $check_pwd);

        if (strcasecmp($usrn, $check_usrn) == 0) {
            if ($pwwd == $check_pwd) {
                echo '<h1 class="text-center">Matches</h1>';
                print_r($row);
            }

        } else {
            echo "<h1 class=text-center>We're sorry we can't log you     in.</h1>";
        }

    }

} else { //This is for strlen boolean cond
    echo "<h1 class='text-center'>Both fields must not be empty.    </h1>";
}

我曾经使用没有准备好的语句的登录页面,但我意识到我需要这样做以获得更好的安全性。我的数据库工作正常,所以问题就在我添加注释“//此处某处出现错误”的位置附近。

我是一个相对较新的 PHP 程序员,还是一年级学生,在假期尝试大胆的新事物!将公开阅读我获得的所有帮助,谢谢!

4

1 回答 1

0

首先,我没有看到您用于连接数据库的连接代码,就像这样。 $connected = msqli_connect(host,user,password,db_name) ;比你不需要调用mysqli_select_db()函数。

mysqli_connect_errno()其次,如果最后一个函数没有错误代码值,您正在检查函数的连接,该函数返回 0 作为整数(不是布尔值) mysqli_connect()

第三,不需要初始化准备语句。

四是mysqli_stmt_bind_reslut()先于mysqli_stmt_fetch()。见 手册中的注意点

使用hash_equals()函数来匹配密码而不是===. 请参阅crypt中的警告部分 

$connected = msqli_connect(host,user,password,db_name) ;
 if(!$connected)
 {
     die('Connect Error (' . mysqli_connect_errno() . ') '. mysqli_connect_error());
 } 
    echo "Your connection is  successful . "
 if($stmt = mysqli_prepare($connected,$query))
 {
       mysqli_stmt_bind_param($stmt, "ss", $usrn, $pwwd);
       mysqli_stmt_execute($stmt);
       mysqli_stmt_bind_result($stmt, $check_usrn, $check_pwd);
       mysqli_stmt_fetch($stmt);
       /* Now do Your Work */

 } else 
   {
      /* still prepare statement doesn't work */
   } `
于 2017-01-29T18:33:51.590 回答