无法登录PHP/MySQL [英] Cannot login in PHP/MySQL

问题描述

我一直在修改代码，但仍然无法登录...我有一个MySQL数据库，该数据库的数据库名为"users"，表名为"Users"，其后的行为"UserNameID"，"userName" "和密码".我已经创建了一个条目来进行测试:

I've been modifying my code but I still can't log in... I have a MySQL database with a database called "users" with a table called "Users" and the following rows "UserNameID", "userName" and "password". I have created just an entry in order to test that:

+------------+----------+-----------+
| UserNameID | userName | password  |
+------------+----------+-----------+
|          1 | root     | pass      |
+------------+----------+-----------+

这是我的代码:

<!DOCTYPE html>

<?php session_start(); ?>

<html>
    <head>
        <title>File1</title>
    </head>
    <body>
    <?php

    $DB_connection = mysqli_connect("localhost","user1","user1","users") or die("ERROR. Failed to connect to MySQL." . mysqli_error($DB_connection));

    function SignIn() {
    $usr = $_POST['user'];
    $pw = $_POST['pwd'];
    if(!empty($usr)) {
        $query = mysql_query("SELECT * FROM Users where userName = '$usr' AND password = '$pw'");
        $result = mysqli_query($DB_connection,$query);
        if($result) {
            while($row = mysqli_fetch_array($result)) {
                echo "SUCCESSFULLY LOGIN TO USER PROFILE PAGE..."; }
        } else {
            echo "SORRY... YOU ENTERD WRONG ID AND PASSWORD... PLEASE RETRY..."; } }
    }

    SignIn();
    mysqli_close($DB_connection);
    ?>
    </body>
</html>

当我输入错误的密码或用户名时，它会给我"SORRY... YOU ENTERD WRONG ID AND PASSWORD... PLEASE RETRY...".但是，当我输入正确的密码和用户名时，它使我感到相同.我的代码有什么问题?

When I introduce a wrong password or username, it gives me "SORRY... YOU ENTERD WRONG ID AND PASSWORD... PLEASE RETRY...". However, it throws me the same when I put the correct password and username. What is wrong in my code?

非常感谢！

推荐答案

这里有很多问题.存在范围问题，您使用了错误的方法，这是不安全的.

There numerous issues here. There are scoping issues, you are using the wrong methods, it's unsafe.

首先，这两行:

$query = mysql_query("SELECT * FROM Users where userName = '$usr' AND password = '$pw'");
$result = mysqli_query($DB_connection,$query);

这不是查询数据库的方式.您只需要根据所使用的API调用 mysql_query或mysqli_query.在这种情况下，您正在使用MySQLi，请执行以下操作:

That's not how you query a database. You only need to call either mysql_query or mysqli_query depending on what API you are using. You are using MySQLi in this case, so do this:

$query = "SELECT * FROM Users where userName = '$usr' AND password = '$pw'";
$result = mysqli_query($DB_connection,$query);

第二，您的SignIn函数无法访问$DB_connection变量，因为它超出范围.您需要将其传递进来:

Second, your SignIn function can't access the $DB_connection variable, it's out of scope. You need to pass it in:

function SignIn($DB_connection){
}

SignIn($DB_connection);

第三，此代码非常不安全！ 从不 像这样在SQL查询中直接使用$_POST.永远不要将变量连接到SQL字符串中，而应使用准备好的语句.

Third, this code is very unsafe! Never use $_POST directly in an SQL query like that. You should never be concatenating variables into an SQL string, you should use prepared statements.

// Don't use "SELECT *", use the fields you want
$query = mysqli_prepare($DB_connection, 'SELECT user_id FROM Users where userName = ? AND password = ?');

// This sends the values separately, so SQL injection is a thing of the past
mysqli_stmt_bind_param($query, 'ss', $usr, $pw);

// Run the query
mysqli_stmt_execute($query);

// Prepared statements require to define exactly the fields you want
mysqli_stmt_bind_result($query, $user_id);

// Get the data
while(mysqli_stmt_fetch($query)){    
    echo $user_id;
}

mysqli_stmt_close($query);

最后，存储纯文本密码不是一个好习惯.使用哈希库. PHP 5.5+具有一个内置的( http://php.net/pass ).还有一个用于较小PHP版本的版本( https://github.com/ircmaxell/password_compat ).

Lastly, storing plaintext passwords is bad practice. Use a hashing library. PHP 5.5+ has one built-in (http://php.net/password). There's also a version for lesser PHP versions (https://github.com/ircmaxell/password_compat).

P.S.正如评论中指出的那样(这是一个链接)，您的session_start()位置错误.这会发送一个标头，因此它要求在它之前没有任何回声.

P.S. As pointed out in the comments (here's a link), your session_start() is in the wrong spot. That sends a header, so it requires that there be nothing echoed out before it.

<?php session_start(); ?>
<!DOCTYPE html>
<html>

确保在session_start()之前没有空格(或其他任何内容).

Make sure that there is no whitespace (or anything) before the session_start().

这篇关于无法登录PHP/MySQL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！