1. 首頁
  2. 問答
  3. 使用mySQL和PHP登錄問題

使用mySQL和PHP登錄問題

2014-11-22 125 views
1

我試圖讓數據庫用戶登錄時,如果他們的憑據存在,問題是,每當我在登錄屏幕中輸入詳細信息時,它總是會返回Invalid Login Credentials,不管名稱/密碼是否在數據庫中。使用mySQL和PHP登錄問題

這裏是我的工作:

loginSubmit.php

<?php 

//begin our session 
session_start(); 

//Check the username and password have been submitted 
if(!isset($_POST['Username'], $_POST['Password'])) 
{ 
    $message = 'Please enter a valid username and password'; 
} 

else 
{ 
    //Enter the valid data into the database 
    $username = filter_var($_POST['Username'], FILTER_SANITIZE_STRING); 
    $password = filter_var($_POST['Password'], FILTER_SANITIZE_STRING); 

    //Encrypt the password 
    $password = sha1($password); 

    //Connect to the database 
    $SQLusername = "root"; 
    $SQLpassword = ""; 
    $SQLhostname = "localhost"; 
    $databaseName = "jfitness"; 

    try 
    { 
     //connection to the database 
     $dbhandle = mysql_connect($SQLhostname, $SQLusername, $SQLpassword) 
      or die("Unable to connect to MySQL"); 
     echo "Connected to MySQL<br>"; 

     //select a database to work with 
     $selected = mysql_select_db($databaseName, $dbhandle) 
       or die("Could not select database"); 

     $query = "SELECT * FROM 
       customers WHERE name = 
       ('$_POST[Username]' AND password = '$_POST[Password]')"; 

     $result = mysql_query($query) or die(mysql_error()); 
     $count = mysql_num_rows($result); 

     if($count == 1) 
     { 
      $_SESSION['username'] = $username; 
     } 
     else 
     { 
      echo "Invalid Login Credentials"; 
     } 

     if(isset($_SESSION['username'])) 
     { 
      $username = $_SESSION['username']; 
      echo "Hello " . $username; 
     } 

    } 
    catch(Exception $e) 
    { 

     $message = 'We are unable to process your request. Please try again later"'; 
    } 


} 
?> 
<html> 
<head> 
<title>Login</title> 
</head> 
<body> 
</body> 
</html>

的login.php

<html> 
    <head> 
     <title>Login</title> 
    </head> 
    <body> 
     <h2>Login Here</h2> 
     <form action="loginSubmit.php" method="post"> 
      <fieldset> 
       <p> <label for="Username">Username</label> 
        <input type="text" id="Username" name="Username" value="" maxlength="20" /> 
       </p> 
       <p> 
        <label for="Password">Password</label> 
        <input type="text" id="Password" name="Password" value="" maxlength="20" /> 
       </p> 
       <p> 
        <input type="submit" value="Login" /> 
       </p> 
      </fieldset> 
     </form> 
    </body> 
</html>

ADDUSER

//Enter the valid data into the database 
    $username = filter_var($_POST['Username'], FILTER_SANITIZE_STRING); 
    $password = filter_var($_POST['Password'], FILTER_SANITIZE_STRING); 

    //Encrypt the password 
    $password = sha1($password); 

    //Connect to the database 
    $SQLusername = "root"; 
    $SQLpassword = ""; 
    $SQLhostname = "localhost"; 
    $databaseName = "jfitness"; 

    try 
    { 
     //connection to the database 
     $dbhandle = mysql_connect($SQLhostname, $SQLusername, $SQLpassword) 
      or die("Unable to connect to MySQL"); 
     echo "Connected to MySQL<br>"; 

     //select a database to work with 
     $selected = mysql_select_db($databaseName, $dbhandle) 
       or die("Could not select database"); 

     $sql = "INSERT INTO 
       customers (name, password) 
       VALUES 
       ('$_POST[Username]','$_POST[Password]')"; 

     if(!mysql_query($sql, $dbhandle)) 
     { 
      die('Error: ' . mysql_error()); 
     } 

     //Unset the form token session variable 
     unset($_SESSION['formToken']); 

     echo "1 record added"; 

     //close the connection 
     mysql_close($dbhandle); 

    } 
    catch (Exception $ex) 
    { 
     if($ex->getCode() == 23000) 
     { 
      $message = 'Username already exists'; 
     } 
     else 
     { 
      $message = 'We are unable to process your request. Please try again later"'; 
     }

來源

2014-11-22 user2757842

+0

密碼被保存爲'sha1'開頭? – 2014-11-22 23:25:31

+0

嗨Fred -ii,請你稍微詳細一點,我正在跟隨一篇教程,因爲我是新來的PHP – user2757842 2014-11-22 23:32:27

+0

如果密碼沒有使用'sha1'保存在數據庫中,那麼你將無法登錄。 – 2014-11-22 23:34:39

回答

4

可能是因爲這個原因,你有括號的方式。
- 請參閱下面有關使用預準備語句和password_hash()的筆記。

SELECT * FROM customers 
WHERE name = ('$_POST[Username]' 
AND password = '$_POST[Password]')

將其更改爲:

SELECT * FROM customers 
WHERE name = '$username' 
AND password = '$password'

,並用於測試目的,嘗試刪除

$password = filter_var($_POST['Password'], FILTER_SANITIZE_STRING);

,可能會影響/拒絕字符。確保沒有空白區域。

也在發生變化if($count == 1)if($count > 0)

if(mysql_num_rows($result) > 0){

您的密碼不被散列
測試你的adduser的代碼後更換$count = mysql_num_rows($result); if($count == 1) {,我注意到的是,您的哈希密碼不被存儲作爲一個散列。

將您的Adduser頁面中的('$_POST[Username]','$_POST[Password]')更改爲('$username','$password')

我建議你搬到mysqli with prepared statementsPDO with prepared statements,他們更安全

就目前而言,您現在的代碼可以使用SQL injection

這是一個很好的網站使用PDO與準備好的語句和password_hash()

參見:

CRYPT_BLOWFISH或PHP 5.5的password_hash()功能。
對於PHP < 5.5使用password_hash() compatibility pack

來源

2014-11-23 00:55:15

0

試試這個隊友

$query = "select * from customer where name = '" .$username ."' and password = '" .$password ."'";   
//use the SANITIZED data  

    $result = mysql_query($query);     
    $row = mysql_fetch_assoc($result);       
if($row) {      
       $_SESSION['name'] = $row['name'];        
       $_SESSION['password'] = $row['password'];         


    }     
else { //not found      
header('Location: go back.php?error=2');       
     } 

    echo "Hello " . $username;

來源

2014-11-22 23:41:15

+0

不幸的是:/謝謝 – user2757842 2014-11-23 00:04:50

相關問題

 相關問題