0
我超級困惑, 我的代碼輸出這樣的:PHP的:mysql設置一個登錄
貼登錄:登錄
公佈密碼:通過
數據庫登錄:登錄
數據庫通過:通過
數據庫ID:1
數據庫用戶:IDKMyName
數據庫創建者:真
數據庫管理:真
數據庫主:真
失敗
主要部分是最後一行的「失敗「,它應該說登錄去。發佈的用戶和數據庫用戶是相同的,並且發佈過程相同,所以idk。
ps。回聲只是在那裏調試不會在最終的代碼。
<?php
session_start();
$db_login = "";
$db_pass = "";
$db_id = "";
$db_user = "";
$db_creator = "";
$db_admin = "";
$db_master = "";
$servername = "localhost";
$username = "root";
$password = "";
$database = "main_db";
// Create connection
$conn = new mysqli($servername, $username, $password, $database);
$submitlogin = $_POST['user'];
$submitpass = $_POST['password'];
$query = $conn->query("SELECT * FROM main_table WHERE login = '$submitlogin' && pass = '$submitpass'", MYSQLI_USE_RESULT);
if ($query) {
while ($row = $query->fetch_array()) {
$db_login = $row['login'] . PHP_EOL;
$db_pass = $row['pass'] . PHP_EOL;
$db_id = $row['ID'] . PHP_EOL;
$db_user = $row['user'] . PHP_EOL;
$db_creator = $row['creator'] . PHP_EOL;
$db_admin = $row['admin'] . PHP_EOL;
$db_master = $row['master'] . PHP_EOL;
}
}
echo "posted login: " . $submitlogin . "<br>";
echo "posted password: " . $submitpass . "<br>";
echo "database login: " . $db_login . "<br>";
echo "database pass: " . $db_pass . "<br>";
echo "database id: " . $db_id . "<br>";
echo "database user: " . $db_user . "<br>";
echo "database creator: " . $db_creator . "<br>";
echo "database admin: " . $db_admin . "<br>";
echo "database master: " . $db_master . "<br>";
if ($submitlogin != $db_login && $submitpass != $db_pass) {
$_SESSION['ID'] = 'NULL';
$_SESSION['loggedin'] = 'False';
$_SESSION['login'] = '';
$_SESSION['pass'] = '';
$_SESSION['user'] = '';
$_SESSION['creater'] = 'False';
$_SESSION['admin'] = 'False';
$_SESSION['master'] = 'False';
echo"failed";
echo"<a href = '/wip/login/>try again</a>";
}
else {
$_SESSION['login'] = $db_login;
$_SESSION['pass'] = $db_pass;
$_SESSION['id'] = $db_id;
$_SESSION['user'] = $db_user;
$_SESSION['creator'] = $db_creator;
$_SESSION['admin'] = $db_admin;
$_SESSION['master'] = $db_master;
$_SESSION['loggedin'] = 'True';
echo "logged in";
echo "<a href='/wip/>go</a>";
}
mysqli_close($conn);
?>
[Little Bobby](http://bobby-tables.com/)說** [你有SQL風險jection attack](https://stackoverflow.com/q/60174/)**。瞭解[MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php)的[Prepared Statements](準備語句)(https://en.wikipedia.org/wiki/Prepared_statement)。即使** [轉義字符串](https://stackoverflow.com/q/5741187)**是不安全的!我推薦'PDO',我[寫了一個函數](http://paragoncds.com/grumpy/pdoquery/#function),使它非常容易**,非常乾淨**,以及更多**安全**比使用非參數化查詢。 – GrumpyCrouton
**請勿使用純文本密碼!**請使用** PHP的[內置函數](http://jayblanchard.net/proper_password_hashing_with_PHP.html)**('password_hash()'和'password_verify()')處理密碼安全。如果您使用的PHP版本低於5.5,則可以使用'password_hash()'[兼容包](https://github.com/ircmaxell/password_compat)。 **在[散列密碼](http://stackoverflow.com/q/36628418/1011527)中沒有必要**,或者在散列之前使用其他任何清理機制。這樣做會改變密碼並導致不必要的附加編碼。 – GrumpyCrouton
另外,請不要使用'root' db用戶 –