使用PHP登录时比较用户名和密码
[英]Compare username and password during login using PHP
问题描述
Suppose that I have PHP code as below: 
假设我有如下的PHP代码:
<form action="index.php" method="post" id="myform">
<tr>
<td>User Name </td>
<td><input type="text" name="text_username" placeholder="your username here" class="validate[required]"/></td>
</tr>
<tr>
<td>Pass Word </td>
<td><input type="password" name="text_password" placeholder="your password here" class="validate[required]" /></td>
</tr>
<?php
$userPass = array();
$userName = array();
$userID = array();
include ('include/connectdb.php');
if(isset($_POST['tbn_submit'])){
$query = mysql_query("SELECT * FROM tblusers");
$username = $_POST['text_username'];
$password = $_POST['text_password'];
while($value= mysql_fetch_array($query)){
$userPass = $value['user_password'];
$userName = $value['user_username'];
$userID = $value['user_id'];
if($username == $userName && $password == $userPass){
header("location:DataInfo.php?uid=".$userID);
}
else if($username != $userName && $password == $userPass) {
echo'<tr><td colspan="2"><center><b style="color:red;">Invalide username or password, please check again! </b></center></td></tr>';
}
}
}
?>
<tr>
<td></td>
<td><input type="submit" name="tbn_submit" class="btn btn-success" value="Login"/><input type="reset" class="btn btn-warning" value="Cancel"/></td>
</tr>
</form>
The Problems: 问题:
When I use wrong username and password it shows me the repeat messages Invalide username or password, please check again! 当我使用错误的用户名和密码时,它会提示我重复的消息: Invalide username or password, please check again! so many time I do not want like this.How do I fix this.Anyone help me please, Thanks 如此多次,我不想这样。如何解决此问题。请任何人帮助我,谢谢
5 个解决方案
解决方案1
1 2012-09-26 08:13:02
This is so wrong, First, 这太错了,首先
Why do you check for password and login match IN php ? 为什么在php中检查密码和登录名是否匹配? You can just make a query like : 您可以像这样进行查询:
SELECT * FROM tblusers WHERE username = *username* AND password = *password*
If the query return a result, the user can be logged in, else, error message. 如果查询返回结果,则可以登录用户,否则显示错误消息。
Then, The problem with your code is that you compare all the user database with a login and a password. 然后,代码的问题是您将所有用户数据库与登录名和密码进行比较。 If the pass/login match, you redirect the user to another page, but else, you display an error message. 如果通过/登录匹配,则将用户重定向到另一个页面,否则,显示错误消息。 THE PROBLEM IS THAT THE SCRIPT DON'T STOP WHEN IT DOESN'T MATCH ! 问题是脚本不匹配时就不会停止!
so each time username / pass are false, it'll display an error message, and for each column of your user database. 因此,每次用户名/密码为假时,都会在用户数据库的每一列中显示一条错误消息。
If you get this working, i suggest you to use sha1 so people can't read passwords in plain text ... 如果您能正常工作,我建议您使用sha1,这样人们就无法以纯文本格式读取密码...
Just store the passwords with sha1($password) and compare them with sha1() . 只需使用sha1($password)存储密码,然后将它们与sha1()比较即可。
解决方案2
1 2012-09-26 08:13:23
You problem is probably your query: 您的问题可能是您的查询:
mysql_query("SELECT * FROM tblusers");
You are selecting ALL users from the table and then iterating over them. 您正在从表中选择所有用户,然后对其进行迭代。 Instead you wanna select by username and then compare password: 相反,您想按用户名选择,然后比较密码:
mysql_query("SELECT * FROM tblusers WHERE user_username = ".$_POST['text_username']);
You will probably want to add password to that query as well. 您可能还希望向该查询添加密码。
Of course this is wide open to security problems and problems and what not and you should probably look into PDO and MySQLi instead. 当然,这对安全问题和其他问题大有裨益,您应该考虑使用PDO和MySQLi。
As a last note, it is always good to do passwords the right way in PHP: How do you use bcrypt for hashing passwords in PHP? 最后一点,在PHP中以正确的方式设置密码始终是件好事: 如何在PHP中使用bcrypt哈希密码?
解决方案3
1 2012-09-26 08:14:33
In your code you query for all known users, and chek for each, if username and password are equal. 如果用户名和密码相等,则在代码中查询所有已知用户,然后逐一查询。 This is unnecessary slow, there is no need to get all users from the database, just search for the user with the given username. 这是不必要的缓慢,不需要从数据库中获取所有用户,只需搜索具有给定用户名的用户即可。
It's not a good idea to store the password plain text in the database, you should use a hash function like BCrypt and store only the hashed password in the database. 将密码纯文本存储在数据库中不是一个好主意,您应该使用BCrypt之类的哈希函数,并且仅将散列的密码存储在数据库中。
Then i would recommend to switch to mysqli or PDO, instead of the mysql_* functions. 然后,我建议切换到mysqli或PDO,而不是mysql_ *函数。 The mysql functions are deprecated. 不推荐使用mysql函数。
解决方案4
1 已采纳 2012-09-26 08:21:55
The output that you are getting obvious from your code. 从代码中可以明显看到的输出。 What you are doing are: 您正在做什么:
Fetching all records from user table (tblusers)
从用户表中获取所有记录(tblusers) mysql_query("SELECT * FROM tblusers");
mysql_query(“ SELECT * FROM tblusers”); Then you are looping each record
然后,您正在循环每个记录 while($value= mysql_fetch_array($query))
while($ value = mysql_fetch_array($ query))
So, if table tblusers has 1000 records, you will get the message 1000 times. 因此,如果表tblusers有1000条记录,您将获得1000次消息。
You should rewrite it to something like: 您应该将其重写为:
include ('include/connectdb.php');
if(isset($_POST['tbn_submit'])){
$username = $_POST['text_username'];
$password = $_POST['text_password'];
$query = mysql_query("SELECT * FROM tblusers WHERE username = $userName AND password = $userPass");
if(mysql_num_rows($query)){
$user = mysql_fetch_assoc($query)
header("location:DataInfo.php?uid=".$user['user_id']);
} else {
echo '<tr><td colspan="2"><center><b style="color:red;">Invalide username or password, please check again! </b></center></td></tr>';
}
}
Please note following issues: 请注意以下问题:
- Variables $userName and $userPass are not escaped here, please do that in your code. 变量$ userName和$ userPass不在此处转义,请在代码中执行。 You can look at here . 你可以看看这里 。 Otherwise you may be putting yourself in risk! 否则,您可能会面临危险!
- You need to fix the markup in
else { }block.您需要在else { }块中修复标记。 - There are other improvements possible in the shown code/logic. 显示的代码/逻辑中可能还有其他改进。 I just gave you the idea! 我只是给你这个主意!
- Also looks time, you've stored plain text password in your database which you must not! 同样看起来很浪费时间,您已经在数据库中存储了纯文本密码,但一定不要! At least use mysql's native password() function! 至少使用mysql的本地password()函数!
解决方案5
0 2014-06-22 11:12:37
<html>
<h1 align="center">LOGIN PAGE</h1>
<br>
<?php
if(isset($_POST['submit']))
{
$uname=$_POST['$uname'];
$pname=$_POST['$pname'];
echo $uname;
}
?>
<body>
<form action="nexts.php" method="GET">
<table border=1 align=center>
<tr>
<th>USERNAME<th>
<input type="text" name="uname">
</tr>
<tr>
<th>PASSWORD<th>
<input type="password" name="pname">
<br>
<input type="submit" name="submit" value="submit">
</tr>
</html>`<html>
<h1 align="center">LOGIN PAGE</h1>
<br>
<?php
if(isset($_POST['submit']))
{
$uname=$_POST['$uname'];
$pname=$_POST['$pname'];
echo $uname;
}
?>
<body>
<form action="nexts.php" method="GET">
<table border=1 align=center>
<tr>
<th>USERNAME<th>
<input type="text" name="uname">
</tr>
<tr>
<th>PASSWORD<th>
<input type="password" name="pname">
<br>
<input type="submit" name="submit" value="submit">
</tr>
</html>
------------------------------------------------
nexts.php
----------------------------
<?php
include_once('connections.php');
?>
<?php
if(isset($_GET['submit']))
{
$uname = $_GET['uname'];
$pname = $_GET['pname'];
$query = mysql_query("SELECT * FROM dayz");
while($value= mysql_fetch_array($query))
{
$varuname = $value['uname'];
$varpname = $value['pname'];
if($varuname == $uname && $varpname == $pname)
{
echo "login successful";
}
else if($varuname != $uname && $varpname == $pname)
{
echo "Invalide username or password, please check again!";
}
}
}
?>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.