无法使用正确的用户名和密码 php 和 myql 登录
[英]Unable to login with correct username and password php and myql
问题描述
Hello every one i'm new to php.
大家好,我是 php 新手。 I was just trying to create a multi users login system.我只是想创建一个多用户登录系统。 In the first approach i get what is required but whenever i try to login with wrong username or password.在第一种方法中,我得到了所需的内容,但是每当我尝试使用错误的用户名或密码登录时。 else statement echos multiple times. else 语句多次回显。 but in the second approach i get the last statement executed every time i try to login even with correct username and password.但是在第二种方法中,即使使用正确的用户名和密码,每次我尝试登录时也会执行最后一条语句。
This is the first approach这是第一种方法
if(isset($_POST['signin'])){
$username = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT * from `users`;";
if(count(fetchAll($query))>0){
foreach(fetchAll($query) as $row){
if($username==$row["username"]&&$password==$row["password"]&&$row["type"]=="admin"){
echo "Admin";
}elseif($username==$row["username"]&&$password==$row["password"]&&$row["type"]=="teacher"){
echo "Teacher";
}elseif($username==$row["username"]&&$password==$row["password"]&&$row["type"]=="student"){
echo "Student";
}else{
echo "Username or password not found!";
}
}
}else{
echo "<script>alert('Unknown Error')</script>";
}
}
and this is second one这是第二个
if(isset($_POST['signin'])){
$username = $_POST['username'];
$password = $_POST['password'];
$admin_query = "SELECT * from `users` where username = '$username' and password = '$password' and type = 'admin';";
$teacher_query = "SELECT * from `users` where username = '$username' and password = '$password' and type = 'teacher';";
$student_query = "SELECT * from `users` where username = '$username' and password = '$password' and type = 'student';";
if(performQuery($admin_query==1)){
echo "Admin";
}elseif(performQuery($teacher_query==1)){
echo "Teacher";
}elseif(performQuery($student_query==1)){
echo "Student";
}else{
echo "No user found ";
}
}
The performQuery function is performQuery 函数是
function performQuery($query){
$con = new PDO(DBINFO,DBUSER,DBPASS);
$stmt = $con->prepare($query);
if($stmt->execute()){
return true;
}else{
return false;
}
}
2 个解决方案
解决方案1
0 2020-02-04 06:46:35
<?php
$con = mysqli_connect('');// taking as your connection query
$username = "whatever";//taking as user input
$password = "Password";//taking as user input
//By using direct data in SQL login query you are subject to SQL injection. Please Make sure to use prepared statements.
$admin_query = "SELECT * from `users` where username = '$username' and password = '$password' and type = 'admin';";
$teacher_query = "SELECT * from `users` where username = '$username' and password = '$password' and type = 'teacher';";
$student_query = "SELECT * from `users` where username = '$username' and password = '$password' and type = 'student';";
// by using oop approch
if($con->query($admin_query)){
echo "Admin";
}elseif($con->query($teacher_query)){
echo "Teacher";
}elseif($con->query($student_query)){
echo "Student";
}else{
echo "No user found ";
}
// by using procedural approch
if(mysqli_query($con,$admin_query)){
echo "Admin";
}elseif(mysqli_query($con,$teacher_query)){
echo "Teacher";
}elseif(mysqli_query($con,$student_query)){
echo "Student";
}else{
echo "No user found ";
}
?>
Note: Use a prepared statement to avoid SQL injection注意:使用预处理语句避免 SQL 注入
解决方案2
0 2020-02-04 06:46:42
First, when you are using database query try to bind the parameters instead of concatenation to your query because it will lead to SQL Injection首先,当您使用数据库查询时,尝试绑定参数而不是连接到您的查询,因为这会导致SQL 注入
Now as your code state that your are passing boolean to your performQuery function instead of query现在,您的代码声明您将布尔值传递给performQuery函数而不是查询
performQuery($admin_query==1) will lead to performQuery(false) as $admin_query is not equal to 1. That's why your query is failing. performQuery($admin_query==1)将导致performQuery(false)因为$admin_query不等于 1。这就是您的查询失败的原因。
If you print the $query in your function you will find it out.如果您在函数中打印$query ,您会发现它。
So, you have to remove that check inside the param.因此,您必须在参数中删除该检查。 The code will be like this代码将是这样的
if(performQuery($admin_query)){
echo "Admin";
}elseif(performQuery($teacher_query)){
echo "Teacher";
}elseif(performQuery($student_query)){
echo "Student";
}else{
echo "No user found ";
}
function performQuery($query){
try {
$con = new PDO(DBINFO,DBUSER,DBPASS);
$stmt = $con->prepare($query);
if($stmt->execute()){
if($stm->fetchColumn()){
return true;
}
}else{
echo 'Error -> ';
var_dump($st->errorInfo());
echo '<br/>Query -> ';
var_dump($query);
}
catch(Exception $e) {
echo 'Exception -> ';
var_dump($e->getMessage());
echo '<br/>Query -> ';
var_dump($query);
}
return false;
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.