1. 首頁
  2. 問答
  3. 爲什麼錯誤,當用戶登錄時不顯示不正確

爲什麼錯誤,當用戶登錄時不顯示不正確

2013-03-29 32 views
0

我有以下代碼:爲什麼錯誤,當用戶登錄時不顯示不正確

session_start(); 
include 'core/init.php'; 

$username = ''; 
$password = ''; 
$dbusername = ''; 
$dbpassword = ''; 
if (isset($_POST['Email']) && isset($_POST['Password'])) 
{ 
    $username = $_POST['Email']; 
    $password = md5($_POST['Password']); 

    $query = mysql_query("SELECT * FROM member WHERE Email ='$username' AND Password='$password'"); 

    $numrow = mysql_num_rows ($query); 
    // user login 
    if ($numrow!=0) 
    { 
     while ($row = mysql_fetch_assoc($query)) 
     { 
      $dbusername = $row['Email']; 
      $dbpassword = $row['Password']; 
     } 

     //Check to see if they match 
     if ($username==$dbusername&&$password==$dbpassword) 
     { 
      $_SESSION ['Email']=$username; 
      header('Location: member.php?username='.$username); 
     } 
    } 
    else 
    { 
     // admin login 
     $query2 = mysql_query("SELECT * FROM admin WHERE Email ='$username' AND Password ='$password'"); 
     $numrow2 = mysql_num_rows ($query2); 
     if ($numrow2!=0) 
     { 
      while ($row = mysql_fetch_assoc($query2)) 
      { 
       $dbusername = $row['Email']; 
       $dbpassword = $row['Password']; 
      } 

      //Check to see if they match 
      if ($username==$dbusername&&$password==$dbpassword) 
      { 
       $_SESSION ['Email']=$username; 
       header("Location: admin.php"); 
      }else{ 
       if (empty ($username) === true|| empty($password) === true) { 
        echo "Please enter a username and password"; 
       } else if ($username!=$dbusername){ 
        echo "That user does not exist! Have you registered?"; 
       } else if ($username=$dbusername&&$password!=$dbpassword) { 
        echo "Incorrect password"; 
       } 
      } 
     } 
    } 
}

但是,如果不正確用戶登錄,沒有任何錯誤信息都顯示,只是一個空白頁面,我認爲它我的花括號,但無論我改變他們多少次,我要麼讓事情變得更糟,要麼什麼也不做。任何人都可以告訴我我做錯了什麼?

來源

2013-03-29 Lairds

+0

您是否嘗試過讓使用error_reporting?如何使用IDE和正確的縮進? – mario

+1

相關閱讀:[PHP SQL注入(http://stackoverflow.com/questions/60174/how-to-prevent-sql-injection-in-php) – jbabey

+0

謝謝@jonhopkins用於清潔陷入困境。 – Pitchinnate

回答

0

您的select語句已經確保提供的用戶名和密碼與數據庫中的內容匹配。沒有必要在PHP中進行第二次比較。您的代碼可能僅僅是以下幾點:

if (isset($_POST['Email']) && isset($_POST['Password'])) 
{ 
    $username = $_POST['Email']; 
    $password = md5($_POST['Password']); 

    $query = mysql_query("SELECT * FROM member WHERE Email ='$username' AND Password='$password'"); 

    if(mysql_num_rows($query) == 1) 
    { 
     $_SESSION['Email'] = $username; 
     header('location: member.php?username='.$username); 
    } 
    else 
    { 
     // try admin login 
     $query2 = mysql_query("SELECT * FROM admin WHERE Email ='$username' AND Password ='$password'"); 
     if(mysql_num_rows($query2) == 1) 
     { 
      $_SESSION['Email'] = $username; 
      header("location: admin.php"); 
     } 
     else 
     { 
      echo "Failed Login Attempt"; 
     } 
    } 
}

由於您的查詢只返回記錄,其中的用戶名和密碼匹配,有你永遠不會得到一個結果放回原處的用戶名匹配,但密碼不沒辦法,所以您的管理員登錄結束附近的條件檢查不會發生。

作爲一個側面說明,這將是不好的形式來通知用戶名是正確的,但密碼是不是,或者反之亦然用戶。這是一個安全問題,可以讓惡意用戶更容易獲得訪問權限。這點除了要點之外,所以請只將這個建議作爲個人建議,而不是針對你的問題。

來源

2013-03-29 14:23:06

+0

非常感謝。很好的解釋,現在我明白了很多! – Lairds

2

退房:

if (empty ($username) === true|| empty($password) === true) { 
       echo "Please enter a username and password"; 
        } else if ($username!=$dbusername){ 
         echo "That user does not exist! Have you registered?"; 
        } else if ($username=$dbusername&&$password!=$dbpassword) { 
          echo "Incorrect password"; 
        } 

      }

本節包括登錄錯誤的「管理員登錄」部分中被發現,當非管理員用戶登錄失敗看出因此任何錯誤。

來源

2013-03-29 14:00:58

0 
$query = mysql_query("SELECT * FROM member WHERE Email ='$username' AND Password='$password'"); 

    if(mysql_num_rows($query) == 0){ 
    echo 'You have entered wrong username/password'; }else { 

     // you can continue with your query below.

來源

2013-03-29 14:08:50

相關問題

 相關問題