使用mySQL和PHP登录问题
我试图让数据库用户登录时,如果他们的凭据存在,问题是,每当我在登录屏幕中输入详细信息时,它总是会返回Invalid Login Credentials,不管名称/密码是否在数据库中。使用mySQL和PHP登录问题
这里是我的工作:
loginSubmit.php
<?php
//begin our session
session_start();
//Check the username and password have been submitted
if(!isset($_POST['Username'], $_POST['Password']))
{
$message = 'Please enter a valid username and password';
}
else
{
//Enter the valid data into the database
$username = filter_var($_POST['Username'], FILTER_SANITIZE_STRING);
$password = filter_var($_POST['Password'], FILTER_SANITIZE_STRING);
//Encrypt the password
$password = sha1($password);
//Connect to the database
$SQLusername = "root";
$SQLpassword = "";
$SQLhostname = "localhost";
$databaseName = "jfitness";
try
{
//connection to the database
$dbhandle = mysql_connect($SQLhostname, $SQLusername, $SQLpassword)
or die("Unable to connect to MySQL");
echo "Connected to MySQL<br>";
//select a database to work with
$selected = mysql_select_db($databaseName, $dbhandle)
or die("Could not select database");
$query = "SELECT * FROM
customers WHERE name =
('$_POST[Username]' AND password = '$_POST[Password]')";
$result = mysql_query($query) or die(mysql_error());
$count = mysql_num_rows($result);
if($count == 1)
{
$_SESSION['username'] = $username;
}
else
{
echo "Invalid Login Credentials";
}
if(isset($_SESSION['username']))
{
$username = $_SESSION['username'];
echo "Hello " . $username;
}
}
catch(Exception $e)
{
$message = 'We are unable to process your request. Please try again later"';
}
}
?>
<html>
<head>
<title>Login</title>
</head>
<body>
</body>
</html>
的login.php
<html>
<head>
<title>Login</title>
</head>
<body>
<h2>Login Here</h2>
<form action="loginSubmit.php" method="post">
<fieldset>
<p> <label for="Username">Username</label>
<input type="text" id="Username" name="Username" value="" maxlength="20" />
</p>
<p>
<label for="Password">Password</label>
<input type="text" id="Password" name="Password" value="" maxlength="20" />
</p>
<p>
<input type="submit" value="Login" />
</p>
</fieldset>
</form>
</body>
</html>
ADDUSER
//Enter the valid data into the database
$username = filter_var($_POST['Username'], FILTER_SANITIZE_STRING);
$password = filter_var($_POST['Password'], FILTER_SANITIZE_STRING);
//Encrypt the password
$password = sha1($password);
//Connect to the database
$SQLusername = "root";
$SQLpassword = "";
$SQLhostname = "localhost";
$databaseName = "jfitness";
try
{
//connection to the database
$dbhandle = mysql_connect($SQLhostname, $SQLusername, $SQLpassword)
or die("Unable to connect to MySQL");
echo "Connected to MySQL<br>";
//select a database to work with
$selected = mysql_select_db($databaseName, $dbhandle)
or die("Could not select database");
$sql = "INSERT INTO
customers (name, password)
VALUES
('$_POST[Username]','$_POST[Password]')";
if(!mysql_query($sql, $dbhandle))
{
die('Error: ' . mysql_error());
}
//Unset the form token session variable
unset($_SESSION['formToken']);
echo "1 record added";
//close the connection
mysql_close($dbhandle);
}
catch (Exception $ex)
{
if($ex->getCode() == 23000)
{
$message = 'Username already exists';
}
else
{
$message = 'We are unable to process your request. Please try again later"';
}
可能是因为这个原因,你有括号的方式。
- 请参阅下面有关使用预准备语句和password_hash()
的笔记。
SELECT * FROM customers
WHERE name = ('$_POST[Username]'
AND password = '$_POST[Password]')
将其更改为:
SELECT * FROM customers
WHERE name = '$username'
AND password = '$password'
,并用于测试目的,尝试删除
$password = filter_var($_POST['Password'], FILTER_SANITIZE_STRING);
,可能会影响/拒绝字符。确保没有空白区域。
也在发生变化if($count == 1)
到if($count > 0)
或if(mysql_num_rows($result) > 0){
您的密码不被散列
测试你的adduser的代码后更换$count = mysql_num_rows($result); if($count == 1) {
,我注意到的是,您的哈希密码不被存储作为一个散列。
将您的Adduser页面中的('$_POST[Username]','$_POST[Password]')
更改为('$username','$password')
。
我建议你搬到mysqli
with prepared statements或PDO with prepared statements,他们更安全。
就目前而言,您现在的代码可以使用SQL injection。
这是一个很好的网站使用PDO与准备好的语句和password_hash()
。
参见:
CRYPT_BLOWFISH或PHP 5.5的password_hash()
功能。
对于PHP < 5.5使用password_hash() compatibility pack
。
试试这个队友
$query = "select * from customer where name = '" .$username ."' and password = '" .$password ."'";
//use the SANITIZED data
$result = mysql_query($query);
$row = mysql_fetch_assoc($result);
if($row) {
$_SESSION['name'] = $row['name'];
$_SESSION['password'] = $row['password'];
}
else { //not found
header('Location: go back.php?error=2');
}
echo "Hello " . $username;
不幸的是:/谢谢 – user2757842 2014-11-23 00:04:50
密码被保存为'sha1'开头? – 2014-11-22 23:25:31
嗨Fred -ii,请你稍微详细一点,我正在跟随一篇教程,因为我是新来的PHP – user2757842 2014-11-22 23:32:27
如果密码没有使用'sha1'保存在数据库中,那么你将无法登录。 – 2014-11-22 23:34:39