[英]PHP help needed for Login script
When I login with the correct username and password I get an error "Wrong Username or Password" the database connection works and I think there is something wrong with the password + username check. 使用正确的用户名和密码登录时,出现错误“用户名或密码错误”,数据库连接正常,我认为密码+用户名检查有问题。
<?php
$host="mysql12-int.cp.hostnet.nl"; // Host name
$username="u33936_mick"; // username
$password="//password was correct"; // password
$db_name="db33936_axe"; // Database name
$tbl_name="users"; // Table name
mysql_connect("$host", "$username", "$password");
mysql_select_db("$db_name");
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql = 'SELECT * FROM `users` LIMIT 0, 30 WHERE username="$myusername" and
password="$mypassword"';
$result=mysql_query($sql);
$count=mysql_num_rows($result);
if($count==1){
session_register("username");
session_register("password");
header("location:index.php");
} else {
echo "Wrong Username or Password";
}
?>
This is my form 这是我的表格
<form name="login" method="post" action="login.php">
<fieldset id="inputs">
<input id="myusername" type="text" name="myusername"
placeholder="Username" required="">
<input id="mypassword" type="password" name="mypassword"
placeholder="Password" required="">
</fieldset>
<fieldset id="login.php">
<input type="submit" id="submit" value="Login">
</style>
</fieldset>
</form>
Foremost, I suggest you look in to transitioning away from the deprecated mysql_*
family of functions in favor of mysqli
( docs ) or PDO ( docs ), neither of which require any significant change on your part as far as code goes. 最重要的是,我建议您着眼于从不推荐使用的
mysql_*
函数系列过渡到mysqli
( docs )或PDO( docs ),这两者都不需要对代码进行任何重大更改。
As for your specific bug, it appears that you are incorrectly concatenating the values into the query. 至于您的特定错误,看来您是在错误地将值连接到查询中。 Also, your
WHERE
and LIMIT
order is incorrect and invalid SQL. 另外,您的
WHERE
和LIMIT
顺序不正确且无效的SQL。 Here is the correct form: 这是正确的形式:
$sql = '
SELECT
*
FROM
`users`
WHERE
username="'.$myusername.'" AND
password="'.$mypassword.'"
LIMIT 0, 30
';
It is not clear what advantage you bring by using the LIMIT
statement. 尚不清楚使用
LIMIT
语句会带来什么好处。 Either you should have one matching row, or none. 您应该有一个匹配的行,或者没有。 If anything, I would use
LIMIT 1
. 如果有的话,我将使用
LIMIT 1
。 If you got 30 rows back, what would you do with them!? 如果您退回30行,您将如何处理它们?
Converting to PDO is easy! 转换为PDO很容易! The same query in PDO would look like this:
PDO中的相同查询如下所示:
$host="mysql12-int.cp.hostnet.nl"; // Host name
$username="u33936_mick"; // username
$password="//password was correct"; // password
$db_name="db33936_axe"; // Database name
$pdo = new PDO('mysql:host='.$host.';dbname='.$db_name, $username, $password);
$sth = $pdo->prepare('
SELECT
*
FROM
`users`
WHERE
username=:username AND
password=:password
LIMIT 0, 30
');
$sth->execute(array('username'=>$myusername, 'password'=>$mypassword));
$user = $sth->fetch();
Note that when you use PDO with bound parameters (shown here), you DO NOT have to sanitize with mysql_real_escape_string
or addSlashes
as you have done in your code. 请注意,当您使用带有绑定参数的PDO(如此处所示)时,
addSlashes
像在代码中那样对mysql_real_escape_string
或addSlashes
进行清理。
It is not clear where you are defining $mypassword
and $myusername
, but if you are using registered globals then you should alter your code. 目前尚不清楚您在哪里定义
$mypassword
和$myusername
,但是如果您使用注册的全局变量,则应该更改代码。 Get the values directly from $_POST
. 直接从
$_POST
获取值。 addSlashes
is NOT safe, and neither are registered globals. addSlashes
是不安全的,也不是已注册的全局变量。
Documentation 文献资料
mysql_*
functions - http://www.php.net/manual/en/function.mysql-query.php mysql_*
功能- http://www.php.net/manual/en/function.mysql-query.php mysqli
- http://php.net/manual/en/book.mysqli.php mysqli
- http://php.net/manual/zh/book.mysqli.php A few problems: 一些问题:
$_POST['myusername']
etc. to get the posted variables. $_POST['myusername']
等获取发布的变量。 If you are relying on register_globals
you should turn that off as it is deprecated and poses a security risk; register_globals
,则应将其关闭,因为它已过时且存在安全风险; LIMIT
clause comes at the end in mysql; LIMIT
子句位于mysql的末尾; stripslashes
and escape functions, instead you should use prepared statements with bound variables in PDO / mysqli as the mysql_*
functions are deprecated and passwords can contain for example slashes. stripslashes
和转义函数之类的stripslashes
来修改发送的信息,而应该在PDO / mysqli中使用带有绑定变量的准备好的语句,因为不建议使用mysql_*
函数,并且密码可以包含例如斜杠。 As a side-note, you should really salt and hash your password, don't store plain text passwords in your database. 附带说明一下,您应该对密码进行加密和哈希处理,不要在数据库中存储纯文本密码。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.