简单的PHP SQL登录故障排除 [英] Simple PHP SQL login troubleshooting
问题描述
我试图通过从数据库中检索注册的用户名/密码来创建一个非常基本的PHP登录名.这从未实现过,我知道输入验证为零.我要做的就是从登录名中的数据库中选择数据.
I am trying to create a very basic PHP login by retrieving a registered username/password from a database. This is not ever going live and I am aware there is zero input validation. All I'm trying to do is select data from a database in a login.
这是index.html上的登录表单:
Here is the login form on index.html:
<table width="250" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<form name="form1" method="post" action="checklogin.php">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<td colspan="3"><strong>Member Login </strong></td>
</tr>
<tr>
<td width="78">Username</td>
<td width="6">:</td>
<td width="294"><input name="Username" type="text" id="Username"></td>
</tr>
<tr>
<td>Password</td>
<td>:</td>
<td><input name="Password" type="text" id="Password"></td>
</tr>
<tr>
<td> </td>
<td> </td>
<td><input type="submit" name="Submit" value="Login"></td>
</tr>
</table>
</td>
</form>
</tr>
</table>
这是PHP checklogin.php:
And here is the PHP checklogin.php:
<?php
$sql_connection = mysqli_connect ("localhost:8889","root","root","derek_website_tmp");
if (mysqli_connect_errno())
{
echo "failed to connect" . mysqli_connect_error();
}
$Username=$_POST['Username'];
$Password=$_POST['Password'];
$sql = "SELECT * FROM $Members WHERE Username = '$Username' and Password = '$Password'"
$result=mysqli_query($sql);
$count = mysql_num_rows($result);
if ($count==1) {
$_SESSION['Username'] = $Username;
$_SESSION['Password'] = $Password;
header('location:login_success.php');
}
else {
echo 'Wrong Username or Password';
}
if (!mysqli_query($sql_connection))
{
die('Error : ' . mysqli_error($sql_connection));
}
mysqli_close ($sql_connection);
?>
当我尝试此操作时,我在检索checklogin.php时遇到错误 任何帮助将不胜感激.
When I try this I get an error retrieving checklogin.php Any help would be greatly appreciated.
推荐答案
首先,在开发过程中处理错误非常重要,因此我们检查是否存在帖子,检查是否连接到数据库,是否检查数据库.查询已通过且可以运行,我们检查提供给查询的参数,最后执行查询.
Firstly, handling the errors during the development is very important so we check if our post are present, we check if we connected to the database, we check if our query passed and is OK to run, we check the parameters we are giving to the query and we finally execute the query.
然后,您可以使用bind_result命名变量,以像我一样从查询中接收字段.
After that you can use bind_result to name a variable to receive the fields from your query, like I have done.
请注意,我在查询中使用的方式如何?这是我们使用bind_param定义的准备好的语句,这是为了避免SQL注入,在您当前的代码中,由于您没有清除变量,因此SQL注入仍然可行.
Notice how on my query I am using ? that is a prepared statement that we define using the bind_param this is to avoid SQL injection, in your current code, SQL Injection is still possible since you're not sanitizing your variables.
我认为您正在做的另一个错误是将密码存储为非常错误的纯文本格式,您应该始终对密码进行加密以保护用户和您自己.这就是为什么我不在MySQL查询中包含密码的原因,我只使用用户,如果找到了用户,则使用他发布的密码来匹配从数据库中检索到的密码,在这种情况下,我使用的是bcrypt做一个非常安全的加密库的任务.
Another mistake I believe you're doing is storing passwords as plain text that is VERY VERY WRONG, you should always encrypt the password to protect your users and yourself. That's why I do not include the password on my MySQL query, I first use only the user, if the user is found I then use the password he posted to match the retrieved password from the database, in this case I am using bcrypt to do the task which is a very secure encryption library.
只有在看到密码有效后,我才将数据放入会话中并重定向用户.
Only after I see that the password is valid I am then placing the data into the session and redirecting the user.
除了我在答案底部指出的所有错误之外,这是我如何编写您的代码.
<?php
session_start();
include_once('bcrypt.php');
// Your database info
$db_host = '';
$db_user = '';
$db_pass = '';
$db_name = '';
if (!isset($_POST['Username']))
{
echo 'Fill in the username...';
exit;
}
if (!isset($_POST['Password']))
{
echo 'Fill in your password...';
exit;
}
$con = new mysqli($db_host, $db_user, $db_pass, $db_name);
if ($con->connect_error)
{
die('Connect Error (' . $con->connect_errno . ') ' . $con->connect_error);
}
$sql = "SELECT Username, Password FROM `Members` WHERE Username = ?";
if (!$result = $con->prepare($sql))
{
die('Query failed: (' . $con->errno . ') ' . $con->error);
}
if (!$result->bind_param('s', $_POST['Username']))
{
die('Binding parameters failed: (' . $result->errno . ') ' . $result->error);
}
if (!$result->execute())
{
die('Execute failed: (' . $result->errno . ') ' . $result->error);
}
$result->store_result();
if ($result->num_rows == 0)
{
die('No username found...');
}
$result->bind_result($db_username, $db_password);
$result->fetch();
$result->close();
$con->close();
$bcrypt = new Bcrypt(15);
if ($bcrypt->verify($password, $db_password))
{
$_SESSION['Username'] = $db_username;
header('location:login_success.php');
exit;
}
else
{
echo 'Wrong Username or Password';
}
注意:上面的代码仅是示例,未经测试,如果您发现任何错误,请通知我.
我在您发布的代码中发现的一些错误:
Some of the errors I have noticed on the code you have posted:
您在这里缺少结尾;:
$sql = "SELECT * FROM $Members WHERE Username = '$Username' and Password = '$Password'"
在查询中还具有$Members,但是在代码中的任何地方都没有定义$Members变量,您可能是想说Members的,例如:
Also on your query you have $Members but you have no $Members variable defined anywhere in your code, did you perhaps meant to say Members instead, as in:
$sql = "SELECT * FROM `Members` WHERE Username = '$Username' and Password = '$Password'";
不是这个
$count = mysql_num_rows($result);
是
$count = mysqli_num_rows($result);
还有
$result=mysqli_query($sql);
是
$result=mysqli_query($sql_connection, $sql);
您对mysqli_query
if (!mysqli_query($sql_connection))
这篇关于简单的PHP SQL登录故障排除的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
