简体   繁体   English


[英]Login system password and username

I wrote php code for my signin.php file and my query works for my username but when i put in the password variable , it doesn't do anything. 我为signin.php文件编写了php代码,查询对我的用户名有效,但是当我输入password变量时,它什么也没做。 I want the user to put in a username and password because all they have to put in to get to the restricted page , is a username no password. 我希望用户输入用户名和密码,因为他们只需要输入用户名和密码即可进入受限页面。 It checks if the username is in the database table, if it is, it goes to the restricted page. 它检查用户名是否在数据库表中,如果存在,它将进入受限页面。 I posted a question like this and i got good answers but i don't know where to put the information , This is my process.php : 我发布了这样的问题,我得到了很好的答案,但是我不知道将信息放在哪里,这是我的process.php:


$username = $_POST['username'];
$pw = $_POST['StorePassword'];

if ( isset( $_POST['login'] ) ) {

 $query = mysqli_query($conn, "SELECT * FROM users WHERE username='".$username."' StorePassword='".$pw."' ");

 $StorePassword = password_hash($pw, PASSWORD_BCRYPT, array('cost' => 8));

if ( mysqli_num_rows($query) > 0 ) {
    while ( $row = mysqli_fetch_assoc( $query ) ) {
        if ( $row['StorePassword'] == $pw ) { 
            header("Location: home.php"); 
        } else { 
            echo "Wrong password"; 
} else {
    echo "User not found <br />";

    echo"Please enter your password.";
 } else{


<a href="signin.php">Please try again</a>

Firstly you should use prepared statements for security. 首先,您应该使用准备好的语句来保证安全性。

Step 1: You want to check that the username and password have been entered: 步骤1:您要检查是否已输入用户名和密码:

if ( !isset($_POST['username'], $_POST['password']) ) {
    // Could not get the data that should have been sent.
    die ('You must enter a username and password!');

Step 2: Check the username against your database: 步骤2:根据您的数据库检查用户名:

if ($stmt = $conn->prepare('SELECT password FROM users WHERE username = ?')) {
    // Bind parameters (s = string, i = int, b = blob, etc), hash the password using the PHP password_hash function.
    $username = $_POST['username']; 
    $stmt->bind_param('s', $username);
    trigger_error("there was an error....".$mysqli->error, E_USER_WARNING);

Step 3: Check the password matches ( Php manual for password_verify ) : 第3步:检查密码是否匹配(PHP手册中的password_verify)

if ($stmt->num_rows > 0) {
        // Account exists, now we verify the password.
        if (password_verify($_POST['password'], $password)) {
            // Verification success! User has loggedin!
            header("Location: home.php"); 
        } else {
            echo 'Incorrect username and/or password!';
    } else {
        echo 'User doesnt exist';

All together: 全部一起:

if ( !isset($_POST['username'], $_POST['password']) ) {
    // Could not get the data that should have been sent.
    die ('Username and/or password not set');
// Prepare our SQL 
if ($stmt = $mysqli->prepare('SELECT password FROM users WHERE username = ?')) {
    // Bind parameters (s = string, i = int, b = blob, etc), hash the password using the PHP password_hash function.
    $username = $_POST['username']; 
    $username = strtolower($username);
    $stmt->bind_param('s', $username);
    trigger_error("there was an error....".$mysqli->error, E_USER_WARNING);
    // Store the result so we can check if the account exists in the database.
    if ($stmt->num_rows > 0) {
        // Account exists, now we verify the password.
        if (password_verify($_POST['password'], $password)) {
            // Verification success! User has loggedin!

             header("Location: home.php"); 
        } else {
            echo 'Incorrect username and/or password!';
    } else {
        echo 'Incorrect username blar password!';
} else {
    echo 'Could not prepare statement!';

Check out the php guide on prepared statements http://php.net/manual/en/mysqli.quickstart.prepared-statements.php 查看有关准备好的语句的PHP指南http://php.net/manual/en/mysqli.quickstart.prepared-statements.php

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

粤ICP备18138465号  © 2020-2024 STACKOOM.COM