0
我有一個數據庫,在它有4個表,2個私人用戶和2個業務用戶。由於某種原因,當我嘗試使用商業用戶的電子郵件登錄時,它不起作用,但用戶名可以正常工作,並且在私人表格中起作用,這裏是我的代碼,如果我沒有正確解釋它,告訴我和虐待盡我所能解釋再次一個數據庫的作品,第二不
$password = $_POST['password'];
$emailuser = $_POST['unameemail'];
$password = mysqli_real_escape_string($sql , $password);
$emailuser = mysqli_real_escape_string($sql , $emailuser);
$pwcheck = "
SELECT * FROM private AS p
INNER JOIN user_private_data
AS c ON p.id = c.id
WHERE username='$emailuser' OR email='$emailuser'"; // part that works fine
$resultcheck = mysqli_query($sql , $pwcheck); // part that works fine
$rowcheck = mysqli_fetch_array($resultcheck , MYSQLI_ASSOC); // part that works fine
$hash = $rowcheck['password']; // part that works fine
$hash_pwd = password_verify($password , $hash);
if ($hash_pwd != 0) {
$_SESSION['username'] = $rowcheck['username']; // part that works fine
$_SESSION['logged'] = true; // part that works fine
header("refresh:0;url=../blablabla.php"); // part that works fine
} else {
$privateuser = "
SELECT * FROM business AS d
INNER JOIN user_business_data
AS j ON d.id = j.id
WHERE username='$emailuser' OR email='$emailuser'"; // doesn't work
$resultprivate = mysqli_query($sql , $privateuser); // doesn't work
$rowprivate = mysqli_fetch_array($resultprivate , MYSQLI_ASSOC);
$hashprivate = $rowprivate['password'];
$hash_private = password_verify($password , $hashprivate);
if ($hash_private != 0) {
$_SESSION['username'] = $rowprivate['username'];
$_SESSION['logged'] = true;
$_SESSION['business'] = $rowprivate['bname'];
$_SESSION['type'] = 'business';
}
請在解析之前,淨化你的輸入值進入您的查詢。這個腳本很容易受到SQL注入的影響。 – Akintunde007
你的腳本存在[SQL注入攻擊]的風險(http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) 看看發生了什麼事[小鮑比表](http://bobby-tables.com/)即使 [如果你是逃避投入,它不安全!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets -around-mysql-real-escape-string) 使用[prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly
這是登錄頁面而不是註冊表頁面 – moran