PHP 登录会话未通过（使用 SQL 数据库登录）

Question

The latest little 'challenge' I've made for myself is trying to code a good login screen on a site I'm making for some friends. However, when I input my email and password as they are displayed in my SQL database, the file I use to check it with does not send out anything at all. My code looks as follows:

<?php
    session_start();
    
    if (isset($_SESSION['user'])) {
        header('Location: mainpage.php');
    }
    
    require_once 'config.php';
    
    $error_message = '';
    if (isset($_POST['submit'])) {
        $db = "epiz_31045019_TCDB";
        $response = $db->check_credentials($_POST['email'], $_POST['password']);
    
        if ($response['status'] == 'success') {
            $_SESSION['user'] = array('id' => $response['id'], 'nickname' => $response['nickname']);
            header('Location: mainpage.php');
        }
    }
?>

If that might prove to be useful, here are my login form and the config code I'm including as well:

<?php
  $hostnaam = "host.com";
  $gebruikersnaam = "username";
  $wachtwoord = "password";
  $db = "database";
  $verbinding = mysqli_connect($hostnaam, $gebruikersnaam, $wachtwoord,
  $db) or die ("Er kan geen verbinding tot stand worden gebracht:" .
  mysqli_connect_error());
?>

    <form action="datacheck.php" method="POST">
        <div class="form-field">
            <input type="email" name="email" id="email" placeholder="E-mailadres" required /> 
        </div> <br>
        <div class="form-field">
            <input type="password" name="password" id="password" placeholder="Wachtwoord" required /> 
        </div> <br>
        <div class="form-field">
            <button class="btn" type="submit">Log in</button>
        </div>
    </form>

Answer 1

DATA SECURITY:

Your code example:

  $hostnaam = "host.com";
  $gebruikersnaam = "username";
  $wachtwoord = "password";
  $db = "database";
  $verbinding = mysqli_connect($hostnaam, $gebruikersnaam, $wachtwoord,
  $db) or die ("Er kan geen verbinding tot stand worden gebracht:" .
  mysqli_connect_error());

Good Practise:

If you are using variables to hold connection/login information you are going to use them once and then not need them, but later on in your code, all of those variables ( $wachtwoord , $gebruikersnaam , etc.) still exist.

In the example you give, it would be safer practise to

1. hardcode the data directly into the connection function:

   mysqli_connect("host.com", "username", "password", "database");

2. or Ensure you destroy the data as soon as you've finished with it:

    $hostnaam = "host.com"; $gebruikersnaam = "username"; $wachtwoord = "password"; $db = "database"; $verbinding = mysqli_connect($hostnaam, $gebruikersnaam, $wachtwoord, $db); unset($hostnaam,$gebruikersnaam, $wachtwoord,$db); // Or alternatively: // $hostnaam = $gebruikersnaam = $wachtwoord = $db = NULL;

3. Using die statements and showing error messages directly to the browser / user is VERY bad practise and should never be done.

Try instead to throw errors to the PHP error log .

    if(!mysqli_connect("host.com", "username", "password", "database")){
       error_log("There was a failure to connect to MySQL: ".mysqli_connect_error());
       header("location: index.php?msg=".urlencode('Sorry there was an error.Can not connect.');
    }

4. Your header functions should always be followed by die/exit statements because when a header function is reached, PHP will continue to execute the rest of the script, even while the browser is redirected to a new page.

Bringing it all together:

    if(!mysqli_connect("host.com", "username", "password", "database")){
       error_log("There was a failure to connect to MySQL: ".mysqli_connect_error());
       header("location: index.php?msg=".urlencode('Sorry there was an error.Can not connect.'));
       exit;
    }

And finally, I would also highly recommend using PDO interface and using object orientated programming.