stackoom
  简体   繁体   中英

PHP Login Keeps Returning Invalid User

 原文  2013-12-16 22:13:38       php/ mysql

Question

I'm pretty sure I have this coded correctly, but I'm not entirely sure. This is for a simple login form, and I keep getting "Invalid User" returned whenever I try to login.

I'm checking MySQL database, and the entry is there. Here is my code in log.php: 

<?php
session_name("MyLogin");
session_start();

if($_GET['action'] == "login") {
    $conn = mysql_connect("host","username","password"); // your       MySQL connection data
    $db = mysql_select_db("database"); //put your database name in here 
    $name = $_POST['user'];
    $q_user = mysql_query("SELECT * FROM USERS WHERE login='$name'");

    if(mysql_num_rows($q_user) == 1) {

        $query = mysql_query("                                      SELECT * FROM USERS WHERE       login='$name'");
        $data = mysql_fetch_array($query);
        if($_POST['pwd'] == $data['password']) { 
            session_register("name");
            header("Location: index.html"); // success page. put the URL you want 
            exit;
        } else {
            header("Location: login.php?login=failed&cause=".urlencode('Wrong Password'));
            exit;
        }
    } else {
        header("Location: login.php?login=failed&cause=".urlencode('Invalid User'));
        exit;
    }
}

// if the session is not registered
if(session_is_registered("name") == false) {
    header("Location: login.php");
}
?>

1 answers

solution1
 4  2013-12-16 22:34:48

There are several issues with your implementation:

  1. You're still using mysql_ functions; those are deprecated in favour of either PDO or mysqli .

  2. Because of #1 you're not using prepared statements either.

  3. Because of #2 and the fact that you're not properly escaping your variables in SQL your code is vulnerable against SQL injection attacks.

  4. You're storing passwords in plain text. You should use password hashing ; if you're not using 5.5, you can use password_compat instead.

  5. The use of session_register() is deprecated; you should use the superglobal $_SESSION instead.

Here's an example you could use to accomplish the same thing: 

$action = filter_input(INPUT_GET, 'action', FILTER_UNSAFE_RAW);

if ($action == 'login') {
    $user = filter_input(INPUT_POST, 'user', FILTER_UNSAFE_RAW);
    $password = filter_input(INPUT_POST, 'password', FILTER_UNSAFE_RAW);

    $dbh = new PDO('mysql:host=host;dbname=database;charset=utf8', 'username', 'password', [
        PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
    ]);

    $stmt = $dbh->prepare('SELECT * FROM `users` WHERE `login` = ?');
    $stmt->execute([$user]);

    if (($row = $stmt->fetch(PDO::FETCH_ASSOC)) !== false && password_verify($password, $row['password'])) {
        $_SESSION['user'] = $row;
        header("Location: index.html"); // success page. put the URL you want 
    } else {
        header("Location: login.php?login=failed&cause=".urlencode('Invalid User or password'));
    }
    exit;
}

if (!isset($_SESSION['user'])) {
    header("Location: login.php");
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Login PHP keeps returning invalid username or password even if the fields are correct? Why does the login.php keeps saying invalid password? password verify keeps returning wrong login credentials php PHP login returning false with correct user name? PHP: Returning a user to their original page after login PHP variable keeps returning 0 Log.php returning 'Invalid User' from MySQL database user invalid login login auth check keeps returning false in laravel 4 php login script always returning false user not found
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM