1. 首頁
  2. 問答
  3. SQL代碼

SQL代碼

2014-04-28 24 views
0

我想寫一個代碼來檢查用戶的用戶名和密碼登錄,但它只是說,成功登錄我每次運行它:SQL代碼

<?PHP 
$conn=mysql_connect('localhost','root'); 
if (!$conn) 
    die("couldn't connect" . mysql.error()); 
mysql_select_db('swimsafe'); 
if(isset($_POST['chkdbforpass'])); 
{ 
    $email=$_POST['chkdbforemail']; 
    $pass=$_POST['chkdbforpass']; 
    $sql='SELECT * FROM users WHERE Emailaddress="$email" AND password="$pass" '; 
    $result=mysql_query($sql,$conn); 
    if(!$result) 
     die("couldn't do the query" . mysql_error()); 
    echo("logged in successfully!"); 
    setcookie('username',$email); 
} 
mysql_close(); 
?>

是否足夠還是我必須給你更多的信息?

來源

2014-04-28 KiaN

+0

加入錯誤處理,如果用戶名不存在於系統中。 –

+0

你的代碼對於SQL注入非常脆弱。 'POST login.php?chkdbforemail ='OR用戶名='管理員'--'會讓我用不知道密碼的用戶名爲「Admin」的用戶登錄。 – h2ooooooo

+0

這不是問題 即使我進入該頁面,它也會迴應「登錄成功!」甚至沒有輸入和提交數據 – KiaN

回答

2

mysql_*是安全的棄用。請使用PDOMySQLi

這是一個使用的mysqli檢查登錄的OOP方式(它負責SQL注入預防的同時):

<?php 

// Connect 
$mysqli = new mysqli("localhost", "my_user", "my_password", "my_database"); 
if (mysqli_connect_errno()) { 
    printf("Connect failed: %s\n", mysqli_connect_error()); 
    exit(); 
} 

// Create a Prepared Statement 
if ($stmt = $mysqli->prepare("SELECT COUNT(*) AS userExists FROM users WHERE Emailaddress = ? AND password = ?")) 
{ 
    // Bind Params - SQL Injection Prevention 
    $stmt->bind_param("ss", 
     isset($_POST['chkdbforemail']) ? $_POST['chkdbforemail'] : '', 
     isset($_POST['chkdbforpass']) ? $_POST['chkdbforpass'] : ''); 

    // Execute Statement 
    $stmt->execute(); 

    // Get Result Row 
    $result = $stmt->get_result(); 
    $row = $result->fetch_assoc(); 

    // Check Login 
    if (isset($row['userExists']) && (int)$row['userExists'] >= 1) 
    { 
     // Login Success 
     echo "Login Correct - Set cookie"; 
    } 
    else 
    { 
     // Login Error 
     echo "Email Address and/or Password is incorrect."; 
    } 

    // Close Statement 
    $stmt->close(); 
} 

// Close Connection 
$mysqli->close(); 

?>

來源

2014-04-28 14:22:50 Latheesan

0

我想猜你陳述是罪魁禍首後​​3210。

if(isset($_POST['chkdbforpass']));

應該是:

if(isset($_POST['chkdbforpass'])) // no ;

PHP是因爲您正在使用過時的MySQL的功能反正試試這個訓釋它是這樣

if($ANYTHING_EVER); // the semicolon 
{ 
    // will always get here 
}

來源

2014-04-28 14:19:52 lagbox

0

,並告訴我,如果它工作或沒有。

<?PHP 
mysql_connect('localhost','root'); 

mysql_select_db('swimsafe'); 

if(isset($_POST['chkdbforpass'])) 
{ 
    $email=$_POST['chkdbforemail']; 
    $pass=$_POST['chkdbforpass']; 
    $sql='SELECT * FROM users WHERE Emailaddress="$email" AND password="$pass" ;'; 
    $result=mysql_query($sql) or die(mysql_error()); 
    if(!$result) 
     die("couldn't do the query" . mysql_error()); 
    echo("logged in successfully!"); 
    setcookie('username',$email); 
} 
mysql_close(); 
?>

來源

2014-04-28 14:21:11 random21

0

我建議你查找PDO的登錄系統,創建一個系統多一點從上面在下面的例子中,假設您已連接到數據庫

//check for empty username 
    if (!isset($_POST['login']) OR empty($_POST['login'])) { 
     $_SESSION["feedback_negative"][] = appFeedbackmsg_EmptyUsername; 
     return false; 
    } 
    //check for empty password 
    if (!isset($_POST['password']) OR empty($_POST['password'])) { 
     $_SESSION["feedback_negative"][] = appFeedbackmsg_EmptyPassword; 
     return false; 
    } 
$sth = $this->db->prepare("SELECT id, role FROM users WHERE 
      login = :login AND password = MD5(:password)"); 
    $sth->execute(array(
     ':login' => $_POST['login'], 
     ':password' => $_POST['password'] 
    )); 

    $data = $sth->fetch(); 

    $count = $sth->rowCount(); 
    if ($count > 0) { 
     // login 
     Session::init(); 
     Session::set('role', $data['role']); 
     Session::set('loggedIn', true); 
     header('location: ../dashboard'); 
    } else { 
     header('location: ../login'); 
    }

來源

2014-04-28 14:21:41

相關問題

 相關問題