PHP MySQL登录设置错误
PHP MySQL登录设置错误
提问于 2015-07-02 00:43:17
这对我来说真的很新鲜,我只知道最基本的东西。我正在为一个网页创建一个前端登录(显然安全并不是什么大问题,否则我不会这么做)。我一直在争论我的"where“子句,声明"user”不存在。数据库的设置如下: dbname=connectivity table=users用户有id、用户和通行证。有人想给我点建议吗?提前谢谢。
<?php
define('DB_HOST', 'localhost');
define('DB_NAME', 'connectivity');
define('DB_USER','root');
define('DB_PASSWORD','');
$con=mysql_connect(DB_HOST,DB_USER,DB_PASSWORD) or die("Ya done goofed: " . mysql_error());
$db=mysql_select_db(DB_NAME,$con) or die("Ya done goofed: " . mysql_error());
function SignIn()
{
session_start();
if(!empty($_POST['user']))
{
$query = mysql_query("SELECT * FROM users where user = `$_POST[user]` AND pass = '$_POST[pass]'") or die(mysql_error());
$row = mysql_fetch_array($query) or die(mysql_error());
if(!empty($row['user']) AND !empty($row['pass']))
{
$_SESSION['user'] = $row['pass'];
echo "SUCCESSFULLY LOGIN TO USER PROFILE PAGE...";
}
else
{
echo "SORRY... YOU ENTERD WRONG ID AND PASSWORD... PLEASE RETRY...";
}
}
}
if(isset($_POST['submit']))
{
SignIn();
}
?>回答 6
Stack Overflow用户
发布于 2015-07-02 00:58:38
请停止使用mysql_*。使用mysqli_*或PDO。看一下代码:
<?php
// Force PHP to show errors
error_reporting(E_ALL); // Get all type of errors if any occur in code
ini_set('display_errors',1); // Display those errors
session_start(); // start session
define('DB_HOST', 'localhost');
define('DB_NAME', 'connectivity');
define('DB_USER','root');
define('DB_PASSWORD','');
$con = mysqli_connect(DB_HOST,DB_USER,DB_PASSWORD,DB_NAME) or die("connection not established"); Or use $con = mysqli_connect('localhost','root','','connectivity') or die("connection not established");
if(isset($_POST['submit'])){
SignIn();
}
function SignIn(){
if(!empty($_POST['user'])) {
$username = mysqli_real_escape_string($con , $_POST['user']); // prevent form SQL injection
$password = mysqli_real_escape_string($con , $_POST['pass']); // prevent form SQL injection
$query = mysqli_query($con,"SELECT * FROM users where user = '".$username."' AND pass = '".$password."'") or die(mysqli_error($con));
if(mysqli_num_rows($query) > 0){ // check count of resultset
$_SESSION['user'] = $_POST['pass'];
echo "SUCCESSFULLY LOGIN TO USER PROFILE PAGE...";
}else{
echo "SORRY... YOU ENTERD WRONG ID AND PASSWORD... PLEASE RETRY...";
}
}
}
?>Stack Overflow用户
发布于 2015-07-02 00:51:08
这里有一些问题:
SELECT * FROM users where user = `$_POST[user]` AND pass = '$_POST[pass]'引用的风格随处可见。试试这个:
SELECT * FROM `users` WHERE `user` = '$_POST[user]' AND `pass` = '$_POST[pass]'此外,如果您还没有对SQL注入进行预处理,那么应该对其进行预处理。
Stack Overflow用户
发布于 2015-07-02 00:55:45
这是正确格式化的SQL。
$query = mysql_query("SELECT * FROM `users` WHERE `user` = `'".$_POST["user"]."'` AND pass = '".$_POST["pass"]."'") or die(mysql_error());需要注意的一点是,您必须转义并验证所有全局变量。有关更多信息,我强烈建议您阅读这篇文章:How can I prevent SQL injection in PHP?
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/31167150
复制相关文章
相似问题
腾讯云开发者
