PHP登录错误 - 无论用户是否存在,它都会让我登录 [英] PHP login error - it always lets me login no matter if a user exists or not
问题描述
代码 - 不知道发生了什么,请帮忙:
$ accountname = $ _POST ['logname'];
$ password = $ _POST ['logpassword'];
echo'< br>';
$ logsql = mysqli_query(SELECT name FROM practice.users WHERE Name = $ accountname and Password = $ password;);
if(mysqli_num_rows($ logsql)< 0){
echo'Account doesnt exist';
}
else {
echo'Welcome'。 $ ACCOUNTNAME;
在您的代码中出现错误/错误。
让我们从顶部开始。
$ logsql = mysqli_query(SELECT Name FROM practice.users WHERE Name = $ accountname and Password = $ password;);
mysqli_query
需要一个连接参数。在使用用户输入的查询中使用 mysqli_query
也是一个很大的安全风险。 我们通过使用预处理语句。
$ stmt = $ connect-> prepare(SELECT name FROM`practise.users` WHERE Name =?AND Password =?);
if(!$ stmt){
//出错了,用类创建一个错误并相应显示
$ error = [
'msg' => '服务器无法处理您的请求',
'class'=> '任何你用于错误处理的类',
];
}
if(!$ stmt-> bind_param('ss',$ accountname,$ password)){
//出错了,创建错误类来相应地显示它
$ error = [
'msg'=> '服务器无法处理您的请求',
'class'=> '任何你用于错误处理的类',
];
if(!$ stmt-> execute()){
//出错了,用类创建一个错误并相应地显示
$ error = [
'msg'=> '服务器无法处理您的请求',
'class'=> '任何你用于错误处理的类',
];
} else {
// Query成功运行,让我们得到结果
$ stmt-> store_result();
$ rows = $ stmt-> num_rows();
}
根据您选择密码字段的事实判断,我怀疑您以纯文本格式存储密码。这是另一个安全风险。
像这样对密码进行哈希处理。
$ b password_hash( $ passwordToHash,PASSWORD_DEFAULT);
验证它们是否正确(在验证之前不要对输入的密码进行哈希处理)。
$ b
password_verify($ passwordToValidate,$ passwordHash);
现在,检查用户是否存在并让他们登录。
您正在使用< 0
这将不起作用,因为它意味着小于零。
这应该可以。
else {
// Query成功运行,让我们得到结果
$ stmt-> store_result();
$ rows = $ stmt-> num_rows();
$ b $ if($ rows> 0){
//超过0个结果,用户存在
session_start();
//为用户名设置会话变量
$ _SESSION ['username'] = $ accountname;
//将用户重定向到安全页面(可选)
标题('Location:secured-page.php');
} else {
//结果为0,用户不存在
$ error = [
'msg'=> '该用户不存在',
'class'=> '任何你用于错误处理的类',
];
语句和验证的总代码
$ stmt = $ connect-> prepare(SELECT name FROM`practise.users` WHERE Name =?AND Password =?);
if(!$ stmt){
//出错了,用类创建一个错误并相应显示
$ error = [
'msg' => '服务器无法处理您的请求',
'class'=> '任何你用于错误处理的类',
];
}
if(!$ stmt-> bind_param('ss',$ accountname,$ password)){
//出错了,创建错误类来相应地显示它
$ error = [
'msg'=> '服务器无法处理您的请求',
'class'=> '任何你用于错误处理的类',
];
if(!$ stmt-> execute()){
//出错了,用类创建一个错误并相应地显示
$ error = [
'msg'=> '服务器无法处理您的请求',
'class'=> '任何你用于错误处理的类',
];
} else {
// Query成功运行,让我们得到结果
$ stmt-> store_result();
$ rows = $ stmt-> num_rows();
$ b $ if($ rows> 0){
//超过0个结果,用户存在
session_start();
//为用户名设置会话变量
$ _SESSION ['username'] = $ accountname;
//将用户重定向到安全页面(可选)
标题('Location:secured-page.php');
} else {
//结果为0,用户不存在
$ error = [
'msg'=> '该用户不存在',
'class'=> '任何你用于错误处理的类',
];
}
}
code - not sure whats happening please help:
$accountname = $_POST['logname'];
$password = $_POST['logpassword'];
echo '<br>';
$logsql = mysqli_query("SELECT Name FROM practice.users WHERE Name = $accountname and Password = $password;");
if (mysqli_num_rows($logsql) < 0) {
echo 'Account doesnt exist';
}
else {
echo 'Welcome ' . $accountname;
}
You have quite a lot of mistakes / errors in your code.
Let's start at the top.
$logsql = mysqli_query("SELECT Name FROM practice.users WHERE Name = $accountname and Password = $password;");
mysqli_query
requires a connection parameter. Using mysqli_query
on a query with user input is also a big security risk.
Let's change that by using prepared statements.
$stmt = $connect->prepare("SELECT Name FROM `practise.users` WHERE Name = ? AND Password = ?");
if(!$stmt) {
// Something went wrong, create an error with a class to display it accordingly
$error = [
'msg' => 'The server could not process your request',
'class' => 'whatever class you use for error handling',
];
}
if(!$stmt->bind_param('ss', $accountname, $password)) {
// Something went wrong, create an error with a class to display it accordingly
$error = [
'msg' => 'The server could not process your request',
'class' => 'whatever class you use for error handling',
];
}
if(!$stmt->execute()) {
// Something went wrong, create an error with a class to display it accordingly
$error = [
'msg' => 'The server could not process your request',
'class' => 'whatever class you use for error handling',
];
} else {
// Query ran succesfully, lets get the result
$stmt->store_result();
$rows = $stmt->num_rows();
}
Judging by the fact that you're selecting the password field as well, I suspect that you're storing the passwords in plain-text. Which is another security risk.
Hash the passwords like so.
password_hash($passwordToHash, PASSWORD_DEFAULT);
And verify them like this (Don't hash the inputted password before verifying it).
password_verify($passwordToValidate, $passwordHash);
Now, check if the users exists and get them logged in.
You were using < 0
which won't work since it means less than zero.
This should work.
else {
// Query ran succesfully, lets get the result
$stmt->store_result();
$rows = $stmt->num_rows();
if($rows > 0) {
// More than 0 results, the user exists
session_start();
// Set a session variable for the username
$_SESSION['username'] = $accountname;
// Redirect the user to the secured page (optional)
header('Location: secured-page.php');
} else {
// The result is 0, the user doesn't exist
$error = [
'msg' => 'That user does not exists.',
'class' => 'whatever class you use for error handling',
];
}
}
Total code for statement and validation
$stmt = $connect->prepare("SELECT Name FROM `practise.users` WHERE Name = ? AND Password = ?");
if(!$stmt) {
// Something went wrong, create an error with a class to display it accordingly
$error = [
'msg' => 'The server could not process your request',
'class' => 'whatever class you use for error handling',
];
}
if(!$stmt->bind_param('ss', $accountname, $password)) {
// Something went wrong, create an error with a class to display it accordingly
$error = [
'msg' => 'The server could not process your request',
'class' => 'whatever class you use for error handling',
];
}
if(!$stmt->execute()) {
// Something went wrong, create an error with a class to display it accordingly
$error = [
'msg' => 'The server could not process your request',
'class' => 'whatever class you use for error handling',
];
} else {
// Query ran succesfully, lets get the result
$stmt->store_result();
$rows = $stmt->num_rows();
if($rows > 0) {
// More than 0 results, the user exists
session_start();
// Set a session variable for the username
$_SESSION['username'] = $accountname;
// Redirect the user to the secured page (optional)
header('Location: secured-page.php');
} else {
// The result is 0, the user doesn't exist
$error = [
'msg' => 'That user does not exists.',
'class' => 'whatever class you use for error handling',
];
}
}
这篇关于PHP登录错误 - 无论用户是否存在,它都会让我登录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!