我的PHP登录脚本给出以下错误

Question

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ' password='$2y$10$QV6'' at line 1

I'm fairly new to server-side scripting, please take a look at the syntax below and align it where neccesary or assist me with an alternative solution regarding this error.

<?php

$tbl_name = "user_accounts"; // Table name

// Connect to server and select database.
$mysqli = new mysqli("localhost", "root", "", "ems");

// email and password sent from form
$email = $_POST['email'];
$password = $_POST['password'];

if (!$_POST['email'] | !$_POST['password']) {
    print "<script>alert('Your email & password do not match!');
    javascript:history.go(-1);</script>";
    exit;
}

// To protect MySQL injection
$email = stripslashes($email);
$password = stripslashes($password);
$email = mysqli_real_escape_string($mysqli, $email);
$password = mysqli_real_escape_string($mysqli, $password);

$hash = password_hash($password, PASSWORD_BCRYPT);

$sql = "SELECT account_type, email and password FROM $tbl_name WHERE email='$email', password='$hash'";
$mysqli_result = mysqli_query($mysqli, $sql) or die(mysqli_error($mysqli));

// Mysql_num_row is counting table row
$count = mysqli_num_rows($mysqli_result);

// If result matched $email and $password, table row must be 1 row

if ($count == 1) {

    // Register $email, $password and redirect to file "index.php"
    $_session['email'] = $email;
    $_session['password'] = $password;

    //Checking User Account Type
    if ($_SESSION['account_type'] == 'user') {
        header("location:user.php");
    } else if ($_SESSION['account_type'] == 'admin') {
        header("location:admin.php");
    } else {
        print "<script>alert('This Account Doesn't Exist!');
            javascript:history.go(-1);</script>";
        exit;
    }
} else {
    echo "Wrong email or Password";
}
?>

Answer 1

A few problems here:

1. You do not separate conditions using a comma, instead you use AND
2. You cannot check a password hash like that as it will be different every time as the salt is generated dynamically. Instead you should get the password from the row and use the password compare function password_verify() .
3. You should use a prepared statement instead of escaping your input to avoid sql injection.

Answer 2

password_hash generates every time a new hash, even with the same value.

Your Query should only query for the email and then execute password_verify($password, $passwordFromQuery) .

More about password_hash() here and about password_verify() here

I woud recommend using prepared statements. Read more about it here

Answer 3

Try this

$sql="SELECT account_type, email and password FROM $tbl_name WHERE email='".$email."', password='".$hash."'";
    $mysqli_result=mysqli_query($mysqli, $sql) or die(mysqli_error($mysqli));