基本的PHP脚本不起作用

Question

I'm new to PHP and SQL but I'm trying to create a simple PHP-script that allows a user to login to a website. It doesn't work for some reason and I can't see why. Every time I try to login with the correct username & password, I get the error "Wrong Username or Password". The database-name and table-name are correct.

connect.php:

<?php
$db_host = 'localhost';
$db_name = 'app';
$db_user = 'root';
$db_pass = '';
$tbl_name = 'users'; 

// Connect to server and database 
mysql_connect("$db_host", "$db_user", "$db_pass") or die("Unable to connect to MySQL.");
mysql_select_db($db_name)or die("Cannot select database.");

// Info sent from form
$user = trim($_POST['user']); 
$pass = trim($_POST['pass']); 

// Protection against MySQL injection
$user = stripslashes($user);
$pass = stripslashes($pass);
$user = mysql_real_escape_string($user);
$pass = mysql_real_escape_string($pass);
$sql = ("SELECT * FROM $tbl_name WHERE username='$user' and password='$pass'");
$result= mysql_query($sql);

$count 0= mysql_num_rows($result);
if($count==1){

// Register $user, $pass send the user to "score.php"
session_register("user");
session_register("pass"); 
header("location:score.php");
}
else 
{
echo "Wrong Username or Password";
}
?>

score.php:

<?php
session_start();
if(!session_is_registered(user)){
header("location:login.html");
}
?>

<html>
<body>
<h1>Login Successful</h1>
</body>
</html>

I hope someone can find my mistake, thanks!

Answer 1

FYI session_register and session_is_registered are deprecated and will be removed from PHP. Also try to change your code to use mysqli or PDO. Plenty of articles explain how to do it. Finally, make sure you escape input from the user ($_POST array) because you never know what the user will send and you don't want to be prone to SQL injections. You really do not want to store passwords in clear text, so using SHA1 or MD5 is best.

Having written the above, your code becomes (you can use the $_SESSION global array directly):

connect.php:

<?php
$db_host  = 'localhost';
$db_name  = 'app';
$db_user  = 'root';
$db_pass  = '';
$tbl_name = 'users'; 

// Connect to server and database 
mysql_connect($db_host, $db_user, $db_pass) or die("Unable to connect to MySQL.");
mysql_select_db($db_name) or die("Cannot select database.");

// Info sent from form
$user = trim($_POST['user']); 
$pass = trim($_POST['pass']); 

// Protection against MySQL injection
$user = stripslashes($user);
$pass = stripslashes($pass);
$user = mysql_real_escape_string($user);
$pass = mysql_real_escape_string($pass);
$sql  = "SELECT * FROM $tbl_name "
      . "WHERE username = '$user' "
      . "AND password = sha1('$pass')";

$result = mysql_query($sql);

// There was an extra 0 here before the equals
$count = mysql_num_rows($result);
if ($count==1)
{

    // Register $user, $pass send the user to "score.php"
    $_SESSION['user'] = $user;

    // You really don't need to store the password unless you use
    // it somewhere else
    $_SESSION['pass'] = $pass;
    header("location: ./score.php");
}
else 
{
    echo "Wrong Username or Password";
}
?>

score.php:

<?php
session_start();
if (!isset($_SESSION['user']))
{
    header("location:login.html");
}
?>

<html>
<body>
<h1>Login Successful</h1>
</body>
</html>

Answer 2

A couple of things

Change this line to the one with error checking i have put below it

$result= mysql_query($sql);

$result= mysql_query($sql) or die(mysql_error());

chances are there is an sql error and you are not picking it up, so the result will always have 0 rows

Also not sure if this line is a typo or not, there shouldn't be a 0 in there

$count 0= mysql_num_rows($result);