提供错误的用户名和密码时登录成功
问题描述:
这是我的代码,即使点击提交按钮后,登录成功。提供错误的用户名和密码时登录成功
$username = isset($_POST['username']);
$password = isset($_POST['password']);
//sql dtabase conn
$conn = mysqli_connect("localhost","root","","login");
//query the dtabase for user
$result = mysqli_query($conn, "select * from users where username =
'$username' and password = '$password'")or die("failed to query database".mysqli_connect_error());
$row = mysqli_fetch_array ($result);
if($row['username'] == $username && $row['password'] == $password && (""
!== $username || "" !== $password)){
echo "Login success".$row['username'];
}else{
echo "Failed to login";
}
我是初学者。请帮助我
答
您正在使用isset
来检查用户名/密码后有效负载。这返回一个true
/false
,而不是一个值。所以你永远不会匹配一个数据库中的记录,你永远不会匹配您的凭据检查条件(匹配或""
)
试着这么做
$username = isset($_POST['username']) ? $_POST['username'] : false;
将设置$username
等于如果未设置,则值$_POST['username']
的值为false
。然后你可以用类似的方法测试它:
if (($username && $password) and ($username == $row['username'] and $password == $row['password']))
这应该让你比你更近。
另外一点 - 你需要使用某种哈希机制来设置密码。你得到它的方式看起来像你正在寻找一个明文密码值(除非你在前端散列,我猜)。切勿将密码作为纯文本存储在数据库中。
答
您在IF声明中的最后一个条件是真的,密码不是空的,因为你的isset()将总是返回一个值,它将永远是成功的。
$username = $_POST['username'];
$password = $_POST['password'];
//sql dtabase conn
$conn = mysqli_connect("localhost","root","","login");
//query the dtabase for user
$result = mysqli_query($conn, "select * from users where username =
'$username' and password = '$password'")or die("failed to query database".mysqli_connect_error());
$row = mysqli_fetch_array ($result);
if($row['username'] == $username && $row['password'] == $password){
echo "Login success".$row['username'];
}else{
echo "Failed to login";
}
不要使用isset来分配变量。使用一些转义函数或其他东西。你应该把isset放在if语句上 –
首先修复这行两行'$ username = isset($ _ POST ['username'])? $ _POST ['username']:“”; $ password = isset($ _ POST ['password'])? $ _ POST [ '密码']: “”;' –