-1
我正在研究一個php腳本,用於檢查已登錄的用戶,包括確保他們輸入了電子郵件地址和密碼,連接到sql並檢查數據,註冊會話和更新登錄時間。正確的錯誤報告爲
腳本不起作用,當用戶完成表單並被導向到這個頁面時,它會在ELSE語句後面的底部出現錯誤信息。它不會更新sql中的'last_login'。
我想知道如何開始解決這個腳本,我可以在哪裏放置錯誤處理?
session_start();
include 'dbconuser.php';
//post var
$email_address = $_POST['email_address'];
$password = $_POST['password'];
//check both fields completed
if((!$email_address) || (!$password))
{
echo "Please enter ALL of the information!<br/>";
include 'login.htm';
exit();
}
$password = md5($password);
//connect and check data
$sql = mysqli_query($connection, "SELECT * FROM users WHERE email_address='$email_address' AND password='$password' AND activated='1'");
$login_check = mysqli_num_rows($sql);
if($login_check > 0)
{
while($row = mysqli_fetch_array($sql))
{
foreach($row AS $key => $val)
{
$key = stripslashes($val);
}
// register session
$_SESSION['first_name'] = $first_name;
$_SESSION['last_name'] = $last_name;
$_SESSION['email_address'] = $email_address;
$_SESSION['user_level'] = $user_level;
mysqli_query($connection, "UPDATE users SET last_login=now() WHERE userid='$userid'");
header("Location: index.php");
}
}
//error
else
{
include 'login_error.htm';
echo "You could not be logged in! Either the email_address and password do not match or you have not validated your membership!<br />
Please try again!<br />";
}
mix mysql和mysqli? – 2014-10-07 13:37:21
您有'mysqli _ *()'和不贊成的'mysql _ *()'函數調用的無效組合。回顧[我怎樣才能防止PHP中的SQL注入](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)並開始將所有這些轉換爲MySQLi。使用鏈接問題中的示例和MySQLi ['prepare()/ execute()'](http://php.net/manual/en/mysqli.prepare.php)文檔,現在是開始學習的時候了使用準備好的語句來糾正你的SQL注入漏洞。 – 2014-10-07 13:42:52
我不是一個SQL注入所以林不知道,但有人可能只是發佈的東西,其中email_address是像'OR userid = 1; - – OIS 2014-10-07 13:47:11