PHP-MySQL登录系统 [英] PHP-MySQL Login system

问题描述

这是我第一次使用PHP和MySQL创建登录系统，人们可以输入用户名和密码，而php脚本检查数据库中是否存在用户名和密码.

This is the first time I'm using PHP and MySQL to make a login system where a person can enter username and password and the php scripts checks if the username and password exists in the database.

当用户输入正确的信息时，它会显示成功登录到用户配置文件页面..."消息，这一切都很好.但是，如果用户输入了错误的信息，则应显示对不起...您输入的错误ID和密码...请重试..."消息，但页面为空白.为什么会这样?

When the user enters the correct info It displays the "SUCCESSFULLY LOGIN TO USER PROFILE PAGE..." message which is all good. But if the user enters in the wrong info, the "SORRY...YOU ENTERED WRONG ID AND PASSWORD...PLEASE RETRY..." message should appear but the page is blank. Why is that?

<?php
define('DB_HOST','localhost');
define('DB_NAME','test'); //name of database
define('DB_USER','root'); //mysql user
define('DB_PASSWORD',''); //mysql password

$con = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) or die(mysqli_connect_error());
/* check connection */
if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
}
$db = mysqli_select_db($con,DB_NAME) or die(mysqli_connect_error()); 

/*
$ID = $_POST['user'];
$Password = $_POST['pass'];
*/
function SignIn(mysqli $con){
    session_start(); //starting the session for user profile page
    if(!empty($_POST['user'])){ //checing the 'user' name which is from Sign-in.html, is it empty or have some text
        $query = mysqli_query($con,"SELECT * FROM UserName where userName = '$_POST[user]' AND pass = '$_POST[pass]'") or die(mysqli_connect_error());
        $row = mysqli_fetch_array($query) or die(mysql_error());
        if(!empty($row['userName']) AND !empty($row['pass'])){
            $_SESSION['userName'] = $row['pass'];
            echo "SUCCESSFULLY LOGIN TO USER PROFILE PAGE...";
        }
        else{
            echo "SORRY...YOU ENTERED WRONG ID AND PASSWORD...PLEASE RETRY...";
        }
    }
}

if(isset($_POST['submit'])){
    SignIn($con);
}
?>

推荐答案

首先，我必须声明您的代码非常容易 SQL注入 < = 一定要阅读，更不用说以强烈的纯文本格式存储密码了.

Firstly, I have to state that your code is highly prone to SQL injection <= do read that, not to mention storing passwords in plain text which is highly discouraged.

• 请勿以纯文本格式存储密码，您最终会被黑客入侵.

• Do not store passwords in plain text, you will eventually get hacked.

请咨询我有关以上所有内容的脚注，有关注入和密码存储.

Consult my footnotes about all of the above, regarding injection and password storage.

您还会将MySQL API与mysql_error()混合，而不会将它们与mysqli_函数混合在一起.它必须是mysqli_error($con).

You're also mixing MySQL APIs with mysql_error() which doesn't intermix with mysqli_ functions. It needs to be mysqli_error($con).

现在，由于以下这一行，您的代码失败了:

Now, your code is failing because of this line:

if(!empty($row['userName']) AND !empty($row['pass']))

即使一个人输入了错误或不存在的用户名和/或密码，它仍将保持TRUE，因为这些行不为空.

Even though a person enters a wrong or inexistant username and/or password, it will still remain TRUE because those rows are NOT empty.

因此，永远都无法输入脚本的else部分.

Therefore it never gets to enter the else part of your script.

要开始使用，这是您需要做的:

To get you started, here is what you need to do:

替换:

if(!empty($row['userName']) AND !empty($row['pass']))

具有:

$row = mysqli_fetch_array($query);
    $username = $row['userName'];
    $pw = $row['pass'];

if($user==$username && $pass==$pw) {
// $user and $pass are from POST
// $username and $pw are from the rows

    $_SESSION['userName'] = $row['pass'];

    echo "Successfully logged in.";
    }

else { echo "Invalid."; }

在SignIn()函数中使用以下内容:

While using the following inside the SignIn() function:

$user = mysqli_real_escape_string($con,$_POST['user']);
$pass = mysqli_real_escape_string($con,$_POST['pass']);

，然后将查询替换为:

$query = mysqli_query($con,"SELECT * FROM UserName 
        where userName = '$user' 
        AND pass = '$pass'") 
        or die(mysqli_connect_error());

---

脚注:

• 对于密码存储，请使用 CRYPT_BLOWFISH 或PHP 5.5的 password_hash() 函数.
  对于PHP< 5.5使用 password_hash() compatibility pack .

• For password storage, use CRYPT_BLOWFISH or PHP 5.5's password_hash() function.
  For PHP < 5.5 use the password_hash() compatibility pack.

此外，关于SQL注入， 在准备好的语句中使用mysqli ，或 PDO使用预先准备好的语句 ，它们更加安全.

Plus, in regards to SQL injection, use mysqli with prepared statements, or PDO with prepared statements, they're much safer.

是的，我也将代码更改为您的代码，但是现在每次登录时，即使使用正确的用户名和密码，它也会显示无效.有什么想法吗?似乎是if($ user == $ username&& $ pass == $ pw)if语句失败了.

这就是我用来测试的内容，您可以使用自己的调整和其他调整来替换数据库凭据，因为我没有使用表单，而是使用了硬编码的值.

Here's what I used to test it with, you can replace the DB credentials with your own and other adjustments, since I did not use a form, but hard-coded values.

实际上，如果输入了错误的用户名/密码，这确实会跳入else.

This did in fact jump in the else if an incorrect user/password was entered.

<?php 
$DB_HOST = 'xxx';
$DB_USER = 'xxx';
$DB_PASS = 'xxx';
$DB_NAME = 'xxx';

$con = new mysqli($DB_HOST, $DB_USER, $DB_PASS, $DB_NAME) or die(mysqli_connect_error());

/* check connection */
if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
}

 function SignIn($con){

$_POST['user'] = "John";
$user = $_POST['user'];

$_POST['pass'] = "12345";
$pass = $_POST['pass'];

   // session_start(); //starting the session for user profile page
   if(isset($_POST['user'])){

$query = mysqli_query($con,"SELECT * 
        FROM UserName where userName = '$_POST[user]' 
        AND pass = '$_POST[pass]'") 
        or die(mysqli_connect_error());


$row = mysqli_fetch_array($query);
    $username = $row['userName'];
    $pw = $row['pass'];

if($user==$username && $pass==$pw) {
    echo "Successfully logged in.";
    }

else { echo "Invalid"; }


    } // brace for isset post user

} // brace for function

if(isset($_POST['submit'])){
   echo SignIn($con);
}
?>

这篇关于PHP-MySQL登录系统的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！