PHP会话和登录页面发布问题 [英] Php Session and post problems in login page
问题描述
好的,所以我们在这里得到了一些基本的HTML
< form action =main_login.phpmethod =post style =text-align:right;>
用户名:
< input type =textname =usernamevalue =size = 20 style =display:inline-block; margin-left:10pxrequired>
< br>
密码:
< input type =passwordname =passwordvalue =size = 20 style =margin-left:12pxrequired>
< br>
< input type =submitvalue =Log Instyle =margin-left:75px=>
< / form>
和2个php文件主login.php
<?php
session_start();
$ con = mysqli_connect(localhost,root,,complaints);
if(!$ con){
die('Could not connect:'。mysql_error());
}
$ myusername = $ _ POST [username];
$ mypassword = $ _ POST [password];
echo $ myusername。 <峰; br> 中;
echo $ mypassword。 <峰; br> 中;
// MySQL注入
$ myusername = stripslashes($ myusername);
$ mypassword = stripslashes($ mypassword);
$ myusername = mysql_real_escape_string($ myusername);
$ mypassword = mysql_real_escape_string($ mypassword);
$ sql =SELECT * FROM register WHERE username ='$ myusername'and password ='$ mypassword';
$ result = mysqli_query($ con,$ sql);
// Mysql_num_row正在计数表行
$ count = mysqli_num_rows($ result);
//如果结果匹配$ myusername和$ mypassword,则表格行必须为1行
if($ count == 1){
//注册$ myusername,$ mypassword并重定向到文件login_success.php
$ _SESSION ['username'] = $ myusername;
$ _SESSION ['password'] = $ mypassword;
header(location:login_success.php);
}
else {
echo错误的用户名或密码;
}
mysqli_close($ con);
?>
如果登录成功将其重定向到此处login.php
<?php
session_start();
if(isset($ _SESSION ['username'])){
header(location:main_login.php);
}
?>
< html>
< body>
登录成功
< / body>
< / html>
好的,所以,即时通讯新的php和不了解会话。首先我使用session_register和session_is_registered,但因为我发现这些功能不再使用。所以我转换到会议,但我的问题不断出现在这里
$ myusername = $ _ POST [username];
$ mypassword = $ _ POST [password];
我无法使用$ _POST从表单中获取数据。另外我不知道我是否正确放置会话功能。
编辑:html中的用户名和密码名称与php中使用的名称相同,我只是在这里输入错误。
编辑:html中的用户名和密码名称与php中使用的名称相同,我只是在这里输入错误。
编辑:好吧,您在表单字段中输入了错字。您仍然在混合MySQL API,使用 mysql_real_escape_string()来查看下面关于混合函数的更多内容。
<罢工>
看看 name =myusername和您的POST分配,以及您的密码。
更改 name =myusername
name =username 和 name =mypassword 至 name =密码
$ b
$ myusername = $ _ POST [username];
$ mypassword = $ _ POST [password];
使用 错误报告 ,会显示一个未定义的索引并且头部已经发送警告;见下文。
您在<?php 之前也有空格,在标题之前。删除它们。
另外,您将MySQL API与 mysql_error()混合。 mysql_error()应该读作 mysqli_error($ con)和下面的内容:
$ myusername = mysql_real_escape_string($ myusername);
$ mypassword = mysql_real_escape_string($ mypassword);
应该读作
$ myusername = mysqli_real_escape_string($ con,$ myusername);
$ mypassword = mysqli_real_escape_string($ con,$ mypassword);
或
$ myusername = mysqli_real_escape_string($ con,$ _ POST ['username']);
$ mypassword = mysqli_real_escape_string($ con,$ _ POST ['password']);
-
mysqli _$ b
关于安全性
我注意到您可能以纯文本格式存储密码。如果是这种情况,我们非常沮丧。
我建议您使用 CRYPT_BLOWFISH 或PHP 5.5's
password_hash()函数。对于PHP< 5.5使用password_hash()兼容包。
另外,关于SQL注入, 使用
mysqli与准备好的语句 或 包含准备语句的PDO ,更安全。
脚注
最好添加
exit;
header(location:login_success.php);
出口;
以及所有标题。
编辑:
删除
$名为myUsername = $ _ POST [ 用户名];
$ mypassword = $ _ POST [password];
echo $ myusername。 <峰; br> 中;
echo $ mypassword。 <峰; br> 中;
然后将其替换为:
$ myusername = stripslashes($ _ POST [username]);
$ mypassword = stripslashes($ _ POST [password]);
$ myusername = mysqli_real_escape_string($ con,$ _ POST ['username']);
$ mypassword = mysqli_real_escape_string($ con,$ _ POST ['password']);
编辑#2 :
这是我测试代码的过程,并取得了成功,因此我不知道你现在的代码有什么问题。
HTML FORM
< form action =main_login.phpmethod =poststyle = 文本对齐:右; >
用户名:
< input type =textname =usernamevalue =size = 20 style =display:inline-block; margin-left:10pxrequired>
< br>
密码:
< input type =textname =passwordvalue =size = 20 style =margin-left:12pxrequired>
< br>
< input type =submitvalue =Log Instyle =margin-left:75px=>
< / form>
MySQL
<?php
$ DB_HOST ='xxx';
$ DB_USER ='xxx';
$ DB_PASS ='xxx';
$ DB_NAME ='xxx';
$ conn = new mysqli($ DB_HOST,$ DB_USER,$ DB_PASS,$ DB_NAME);
if($ conn-> connect_errno> 0){
die('Connection failed ['。$ conn-> connect_error。']');
}
$ myusername = stripslashes($ _ POST [username]);
$ mypassword = stripslashes($ _ POST [password]);
$ myusername = mysqli_real_escape_string($ conn,$ _ POST ['username']);
$ mypassword = mysqli_real_escape_string($ conn,$ _ POST ['password']);
echo $ myusername; //回声
回声< br>;
echo $ mypassword; // echo
$ sql =SELECT * FROM register WHERE username ='$ myusername'and password ='$ mypassword';
$ result = mysqli_query($ conn,$ sql);
$ count = mysqli_num_rows($ result);
if($ count == 1){
echoYep;
}
else {
echonope;
注意:您也应该清除会话( 销毁会话 ),那里可以请在服务器上缓存旧用户名和密码。
还要确保列中没有空格,类型正确,长度足以容纳数据。通常
VARCHAR(255)绰绰有余,但在使用由password_hash()生成的散列口令时,功能,你应该在存储密码时使用。
在堆栈上。
Ok, so we got some basic HTML here
<form action="main_login.php" method="post" style="text-align:right;">
Username:
<input type="text" name="username" value="" size=20 style="display:inline-block;margin-left:10px"required>
<br>
Password:
<input type="password" name="password" value="" size=20 style="margin-left:12px"required>
<br>
<input type="submit" value="Log In" style="margin-left:75px"=>
</form>
And 2 php files the main login.php
<?php
session_start();
$con = mysqli_connect("localhost", "root", "", "complaints");
if (!$con) {
die('Could not connect: ' . mysql_error());
}
$myusername=$_POST["username"];
$mypassword=$_POST["password"];
echo $myusername . "<br>";
echo $mypassword . "<br>";
// MySQL injection
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM register WHERE username='$myusername' and password='$mypassword'";
$result=mysqli_query($con,$sql);
// Mysql_num_row is counting table row
$count=mysqli_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
$_SESSION['username']=$myusername;
$_SESSION['password']=$mypassword;
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
mysqli_close($con);
?>
If login succeeds its redirecting here login.php
<?php
session_start();
if ( isset( $_SESSION['username'] ) ){
header("location:main_login.php");
}
?>
<html>
<body>
Login Successful
</body>
</html>
Ok, so, im new in php and dont know much about sessions. First i used session_register and session_is_registered but as i found out these functions are not used anymore. so i converted to sessions but my problem keeps appearing here
$myusername=$_POST["username"];
$mypassword=$_POST["password"];
I cant use the $_POST to get the data from the form. Also i dont know if i have placed correctly the session functions.
Edit: Username and password names in html are the same which are used in php, i just misstyped here.
Edit: Username and password names in html are the same which are used in php, i just misstyped here.
Edit: Ok, so you've made a typo in the form fields. You're still mixing MySQL APIs, see further down below about the mixing function using mysql_real_escape_string().
Look at name="myusername" and your POST assignment, along with the one for your password.
They don't match.
Change name="myusername" to name="username"
and name="mypassword" to name="password"
as per
$myusername=$_POST["username"];
$mypassword=$_POST["password"];
Having used error reporting, would have signaled an undefined index and an headers already sent warning; see below.
You also have spaces before <?php which would cause an output before header. Remove them.
Plus, you're mixing MySQL APIs with mysql_error(). mysql_error() should read as mysqli_error($con) and this below:
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
which should read as
$myusername = mysqli_real_escape_string($con,$myusername);
$mypassword = mysqli_real_escape_string($con,$mypassword);
or
$myusername = mysqli_real_escape_string($con,$_POST['username']);
$mypassword = mysqli_real_escape_string($con,$_POST['password']);
mysqli_andmysql_functions do not intermix together.
Regarding security
I noticed you may be storing passwords in plain text. If this is the case, it is highly discouraged.
I recommend you use CRYPT_BLOWFISH or PHP 5.5's password_hash() function. For PHP < 5.5 use the password_hash() compatibility pack.
Plus, in regards to SQL injection, use mysqli with prepared statements, or PDO with prepared statements, they're much safer.
Footnotes
It is best to add exit; after each header.
header("location:login_success.php");
exit;
and for all headers.
Edit:
Remove
$myusername=$_POST["username"];
$mypassword=$_POST["password"];
echo $myusername . "<br>";
echo $mypassword . "<br>";
then replace it with:
$myusername = stripslashes($_POST["username"]);
$mypassword = stripslashes($_POST["password"]);
$myusername = mysqli_real_escape_string($con,$_POST['username']);
$mypassword = mysqli_real_escape_string($con,$_POST['password']);
Edit #2:
This is what I tested your code with, and got success, therefore I don't know what is wrong with your present code.
HTML FORM
<form action="main_login.php" method="post" style="text-align:right;">
Username:
<input type="text" name="username" value="" size=20 style="display:inline-block;margin-left:10px"required>
<br>
Password:
<input type="text" name="password" value="" size=20 style="margin-left:12px"required>
<br>
<input type="submit" value="Log In" style="margin-left:75px"=>
</form>
MySQL
<?php
$DB_HOST = 'xxx';
$DB_USER = 'xxx';
$DB_PASS = 'xxx';
$DB_NAME = 'xxx';
$conn = new mysqli($DB_HOST, $DB_USER, $DB_PASS, $DB_NAME);
if($conn->connect_errno > 0) {
die('Connection failed [' . $conn->connect_error . ']');
}
$myusername = stripslashes($_POST["username"]);
$mypassword = stripslashes($_POST["password"]);
$myusername = mysqli_real_escape_string($conn,$_POST['username']);
$mypassword = mysqli_real_escape_string($conn,$_POST['password']);
echo $myusername; // echos
echo "<br>";
echo $mypassword; // echos
$sql="SELECT * FROM register WHERE username='$myusername' and password='$mypassword'";
$result=mysqli_query($conn,$sql);
$count=mysqli_num_rows($result);
if($count==1){
echo "Yep";
}
else{
echo "nope";
}
N.B.: You should also clear out your sessions (destroy sessions), there could be something on the server caching old usernames and passwords.
Also make sure there are no spaces in your columns, that the types are correct and the lengths are long enough to hold the data. Usually VARCHAR(255) is more than enough, but is suggested when using hashed passwords generated by password_hash(), a function which you should be using when storing passwords.
See also:
on Stack.
这篇关于PHP会话和登录页面发布问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
