[英]How to check if user exists in database using PHP
SOLUTION: The the ending " after the SQL query was in the wrong place. and also declaring the $user and $password before the SQL query helped as well. Thanks all. 解决方案:SQL查询后的末尾“放在错误的位置。并且在SQL查询之前也声明了$ user和$ password。同样,谢谢。
I am struggling to figure out why this does not work. 我正在努力弄清为什么这行不通。 To me it make perfect sense.
对我来说,这是完全合理的。
Also, I do know my code may be using old techniques and at risk for injection, this is just for a proof of concept. 另外,我确实知道我的代码可能使用的是旧技术,并且有注入风险,这仅是概念证明。
Here is my code: 这是我的代码:
<?php
$db = mysql_connect("localhost", "root", "root");
if (!$db) {
die("Database connect failed: " . mysql_error());
}
$db_select = mysql_select_db("test", $db);
if (!$db_select) {
die("Database selection failed: " . mysql_error());
}
$username = $_POST['username'];
$result=mysql_query("SELECT * FROM Dbusers (username,pass) WHERE username,pass ='$username','$pass'");
if(mysql_num_rows($result) == 1) {
header ("location: UniHelpindex.php");
}
else
{
echo ("Login Details Wrong");
}
?>
Anything that my help let me know. 我的帮助让我知道的任何事情。
This is a syntax error: 这是语法错误:
WHERE username,pass ='$username','$pass'
You meant this: 您的意思是:
WHERE username = '$username' AND pass = '$pass'
Also, where do you ever define $pass
? 另外,您在哪里定义
$pass
? If you don't define it, then the SQL query may just be looking for an empty string which might not match any records (I hope). 如果您没有定义它,那么SQL查询可能只是在寻找一个可能与任何记录都不匹配的空字符串(我希望如此)。
When a query is failing, the system doesn't necessarily tell you outright. 当查询失败时,系统不一定会直接告诉您。 (Although in this case
mysql_num_rows($result)
is very likely throwing an error. Turn on error reporting, check your logs, etc.) Take a look at the mysql_error()
function to check for errors any time mysql_query()
returns false
(which it does in the event of an error). (尽管在这种情况下,
mysql_num_rows($result)
很可能引发错误。打开错误报告,检查日志等。)看一下mysql_error()
函数,以便在mysql_query()
返回false
时检查错误(发生错误时执行的操作)。
And, yes, insert the standard disclaimer here that you're using woefully outdated libraries and wide open to SQL injection. 而且,是的,在此处插入标准免责声明,表示您正在使用严重过时的库,并且对SQL注入开放 。
我不确定,但是我认为您的SQL命令中的$ pass变量未定义。
don't use mysql_ it's depreciated. 不要使用mysql_,它已贬值。 Use instead mysqli_
改用mysqli_
$db=mysqli_connect('hostname','usrname','password','dbname')or die(<h2>some html code for showing the error</h2>);
$query="SELECT * FROM Dbusers WHERE username='$username' AND password='$password'";
$result=mysqli_query($db,$query);
if($mysqli_num_rows !=0){
//user was found stuff here
}else{
//user not found stuff here
}
**I hope it helped**
解决方案:SQL查询后的末尾“放在错误的位置。并且在SQL查询之前也声明了$ user和$ password。同样,谢谢。
use a query like 使用类似的查询
SELECT pass from Dbusers WHERE username = '$username' LIMIT 1
This is very insecure though, please clean the data before using a query like this. 不过,这是非常不安全的,请在使用此类查询之前清除数据。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.