PHP登录使用错误的用户名和密码
[英]PHP login works with wrong username and password
问题描述
I'm having a very annoying problem with a very simple PHP login script. 
我有一个非常简单的PHP登录脚本问题。 The problem is that the login works even with wrong username and/or password. 问题是登录即使用错误的用户名和/或密码也能正常工作。 I'm running it in XAMPP 7.0.8 for Linux. 我在XAMPP 7.0.8 for Linux中运行它。 By the way, the table "users" of the database "login" has only one row. 顺便说一下,数据库“login”的表“users”只有一行。
I've been trying to understand how these kind of scripts work, so I tried with the most basic kind of login I could. 我一直试图了解这些脚本是如何工作的,所以我尝试了最基本的登录方式。 But it keeps being a mystery to me, by now I've never could make it work it out. 但它对我来说仍然是一个谜,到现在为止我从来没有让它成功。
Here is the PHP part: 这是PHP部分:
<?php
session_start();
if(isset($_POST['login'])) {
$db = mysqli_connect("localhost", "root", "", "login");
$username = strip_tags($_POST['username']);
$password = strip_tags($_POST['password']);
$username = stripcslashes($username);
$password = stripcslashes($password);
$username = mysqli_real_escape_string($username);
$password = mysqli_real_escape_string($password);
$sql = "SELECT * FROM users WHERE username = '$username' LIMIT 1";
$query = mysqli_query($db, $sql);
$row = mysqli_fetch_array($query);
$id = $row['id'];
$db_password = $row['password'];
if($password == $db_password){
$_SESSION['username'] = $username;
$_SESSION['id'] = $id;
header("Location: index.php");
} else {
echo "Error: the information is not correct.";
}
}
?>
And here the HTML form: 这里的HTML表单:
<!DOCTYPE html>
<html lang="es">
<head>
<meta charset="UTF-8">
<title>Client's area</title>
</head>
<body>
<form method="post" action="">
<input type="text" name="username">
<input type="password" name="password">
<input class="login" type="submit" name="login" value="Login">
</form>
</body>
</html>
Edit : the idea of this post was never trying to make a secure login script, it was intended to understand some PHP features. 编辑 :这篇文章的想法从来没有尝试过制作安全的登录脚本,它的目的是了解一些PHP功能。 I recognize it's not safe to use any part of this code for an actual login project. 我认识到将这段代码的任何部分用于实际的登录项目是不安全的。
2 个解决方案
解决方案1
0 2016-08-31 17:35:13
The problem is you are setting the $row variable directly even if it fails. 问题是你正在设置$row变量,即使它失败了。 This sets the $db_password to '' and the password should be ''. 这会将$ db_password设置为'',密码应为''。 Hence it passes. 因此它通过了。
change the $row command to this 将$ row命令更改为此
if ($row = mysqli_fetc_array($query) {
and add a } to the 3rd line from the bottom (the blank spot) and add your 'failure message' there as well 并从底部(空白点)添加一个}到第3行,并在那里添加'失败消息'
解决方案2
0 已采纳 2016-08-31 19:10:06
You can use a simple query 您可以使用简单的查询
$sql = "SELECT * FROM users WHERE username = '$username' and password= '$password'";
$query = mysqli_query($db, $sql);
if(mysqli_num_rows($query) > 0)
{
//Records matched process further
$_SESSION['username'] = $username;
$_SESSION['id'] = $id;
header("Location: index.php");
exit();
} else {
//Record not found throw error
echo "Error: the information is not correct.";
}
Hope this helps 希望这可以帮助
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.