[英]My PHP login script is giving the following error
You have an error in your SQL syntax; 您的SQL语法有误; check the manual that corresponds to your MariaDB server version for the right syntax to use near ' password='$2y$10$QV6'' at line 1 检查与您的MariaDB服务器版本相对应的手册以在第1行的'password ='$ 2y $ 10 $ QV6'附近使用正确的语法
I'm fairly new to server-side scripting, please take a look at the syntax below and align it where neccesary or assist me with an alternative solution regarding this error. 我是服务器端脚本的新手,请查看下面的语法,并在必要时将其对齐,或者在出现此错误时为我提供替代解决方案。
<?php
$tbl_name = "user_accounts"; // Table name
// Connect to server and select database.
$mysqli = new mysqli("localhost", "root", "", "ems");
// email and password sent from form
$email = $_POST['email'];
$password = $_POST['password'];
if (!$_POST['email'] | !$_POST['password']) {
print "<script>alert('Your email & password do not match!');
javascript:history.go(-1);</script>";
exit;
}
// To protect MySQL injection
$email = stripslashes($email);
$password = stripslashes($password);
$email = mysqli_real_escape_string($mysqli, $email);
$password = mysqli_real_escape_string($mysqli, $password);
$hash = password_hash($password, PASSWORD_BCRYPT);
$sql = "SELECT account_type, email and password FROM $tbl_name WHERE email='$email', password='$hash'";
$mysqli_result = mysqli_query($mysqli, $sql) or die(mysqli_error($mysqli));
// Mysql_num_row is counting table row
$count = mysqli_num_rows($mysqli_result);
// If result matched $email and $password, table row must be 1 row
if ($count == 1) {
// Register $email, $password and redirect to file "index.php"
$_session['email'] = $email;
$_session['password'] = $password;
//Checking User Account Type
if ($_SESSION['account_type'] == 'user') {
header("location:user.php");
} else if ($_SESSION['account_type'] == 'admin') {
header("location:admin.php");
} else {
print "<script>alert('This Account Doesn't Exist!');
javascript:history.go(-1);</script>";
exit;
}
} else {
echo "Wrong email or Password";
}
?>
A few problems here: 这里有几个问题:
AND
您不使用逗号分隔条件,而是使用AND
password_verify()
. 相反,您应该从行中获取密码,并使用密码比较功能password_verify()
。 password_hash
generates every time a new hash, even with the same value. password_hash
每次都会生成一个新的哈希,即使具有相同的值。
Your Query should only query for the email and then execute password_verify($password, $passwordFromQuery)
. 您的查询应仅查询电子邮件,然后执行password_verify($password, $passwordFromQuery)
。
More about password_hash()
here and about password_verify()
here 更多关于password_hash()
在这里和大约password_verify()
这里
I woud recommend using prepared statements. 我建议使用准备好的语句。 Read more about it here 在这里了解更多
Try this 尝试这个
$sql="SELECT account_type, email and password FROM $tbl_name WHERE email='".$email."', password='".$hash."'";
$mysqli_result=mysqli_query($mysqli, $sql) or die(mysqli_error($mysqli));
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.