這是我的登錄代碼會話沒有得到聲明
global $connection;
if (isset($_POST['user_login'])) {
$email = $_POST['email'];
$password = $_POST['password'];
$password= md5($password);
$login = mysqli_query($connection, "SELECT * FROM user WHERE email ='{$email}' AND password = '{$password}' ");
if(!$login) {
die("QUERY FAILED" . mysqli_error($connection));
}
if(!$login || mysqli_num_rows($login) == 0) {
echo "<div class='alert alert-danger' role='alert'> <strong>Your Username or Password is invalid!</strong></div>";
} else {
$_SESSION['user_id'] = $user_id;
$_SESSION['email'] = $email;
$_SESSION['username'] = $username;
header('Location: index.php');
}
}
我用的print_r函數來顯示所有的會話,但只對會話郵件是越來越聲明。爲什麼沒有聲明user_id和username?我做錯了什麼?
你是否開始會話?它看起來不像我 –
您的代碼易受[** SQL注入**](https://en.wikipedia.org/wiki/SQL_injection)攻擊的影響。你應該使用[** mysqli **](https://secure.php.net/manual/en/mysqli.prepare.php)或[** PDO **](https://secure.php.net/ manual/en/pdo.prepared-statements.php)準備帶有綁定參數的語句,如[**這篇文章**]所述(https://stackoverflow.com/questions/60174/how-can-i-prevent-sql步噴射功能於PHP)。 –
MD5不足以進行密碼散列。使用['password_hash()'](http://us3.php.net/manual/en/function.password-hash.php)和['password_verify()'](http://us3.php.net/ manual/en/function.password-verify.php)。 –