[英]Unable to login with correct username and password php and myql
大家好,我是 php 新手。 我只是想創建一個多用戶登錄系統。 在第一種方法中,我得到了所需的內容,但是每當我嘗試使用錯誤的用戶名或密碼登錄時。 else 語句多次回顯。 但是在第二種方法中,即使使用正確的用戶名和密碼,每次我嘗試登錄時也會執行最后一條語句。
這是第一種方法
if(isset($_POST['signin'])){
$username = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT * from `users`;";
if(count(fetchAll($query))>0){
foreach(fetchAll($query) as $row){
if($username==$row["username"]&&$password==$row["password"]&&$row["type"]=="admin"){
echo "Admin";
}elseif($username==$row["username"]&&$password==$row["password"]&&$row["type"]=="teacher"){
echo "Teacher";
}elseif($username==$row["username"]&&$password==$row["password"]&&$row["type"]=="student"){
echo "Student";
}else{
echo "Username or password not found!";
}
}
}else{
echo "<script>alert('Unknown Error')</script>";
}
}
這是第二個
if(isset($_POST['signin'])){
$username = $_POST['username'];
$password = $_POST['password'];
$admin_query = "SELECT * from `users` where username = '$username' and password = '$password' and type = 'admin';";
$teacher_query = "SELECT * from `users` where username = '$username' and password = '$password' and type = 'teacher';";
$student_query = "SELECT * from `users` where username = '$username' and password = '$password' and type = 'student';";
if(performQuery($admin_query==1)){
echo "Admin";
}elseif(performQuery($teacher_query==1)){
echo "Teacher";
}elseif(performQuery($student_query==1)){
echo "Student";
}else{
echo "No user found ";
}
}
performQuery 函數是
function performQuery($query){
$con = new PDO(DBINFO,DBUSER,DBPASS);
$stmt = $con->prepare($query);
if($stmt->execute()){
return true;
}else{
return false;
}
}
<?php
$con = mysqli_connect('');// taking as your connection query
$username = "whatever";//taking as user input
$password = "Password";//taking as user input
//By using direct data in SQL login query you are subject to SQL injection. Please Make sure to use prepared statements.
$admin_query = "SELECT * from `users` where username = '$username' and password = '$password' and type = 'admin';";
$teacher_query = "SELECT * from `users` where username = '$username' and password = '$password' and type = 'teacher';";
$student_query = "SELECT * from `users` where username = '$username' and password = '$password' and type = 'student';";
// by using oop approch
if($con->query($admin_query)){
echo "Admin";
}elseif($con->query($teacher_query)){
echo "Teacher";
}elseif($con->query($student_query)){
echo "Student";
}else{
echo "No user found ";
}
// by using procedural approch
if(mysqli_query($con,$admin_query)){
echo "Admin";
}elseif(mysqli_query($con,$teacher_query)){
echo "Teacher";
}elseif(mysqli_query($con,$student_query)){
echo "Student";
}else{
echo "No user found ";
}
?>
注意:使用預處理語句避免 SQL 注入
首先,當您使用數據庫查詢時,嘗試綁定參數而不是連接到您的查詢,因為這會導致SQL 注入
現在,您的代碼聲明您將布爾值傳遞給performQuery函數而不是查詢
performQuery($admin_query==1)
將導致performQuery(false)
因為$admin_query
不等於 1。這就是您的查詢失敗的原因。
如果您在函數中打印$query ,您會發現它。
因此,您必須在參數中刪除該檢查。 代碼將是這樣的
if(performQuery($admin_query)){
echo "Admin";
}elseif(performQuery($teacher_query)){
echo "Teacher";
}elseif(performQuery($student_query)){
echo "Student";
}else{
echo "No user found ";
}
function performQuery($query){
try {
$con = new PDO(DBINFO,DBUSER,DBPASS);
$stmt = $con->prepare($query);
if($stmt->execute()){
if($stm->fetchColumn()){
return true;
}
}else{
echo 'Error -> ';
var_dump($st->errorInfo());
echo '<br/>Query -> ';
var_dump($query);
}
catch(Exception $e) {
echo 'Exception -> ';
var_dump($e->getMessage());
echo '<br/>Query -> ';
var_dump($query);
}
return false;
}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.