如何用mysqli查询验证简单的php登录表单? [英] how to validate the simple php login form with the mysqli query?
本文介绍了如何用mysqli查询验证简单的php登录表单?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
这是我的php代码
<?php
$con=mysqli_connect("","","","");
if (mysqli_connect_errno()) { echo "Failed to connect to MySQL: " . mysqli_connect_error();
}\\check connection
$username = mysqli_real_escape_string($con, $_POST["username"]); $password=mysqli_real_escape_string($con$_POST["password"]); \\get the input values
if ($_SERVER["REQUEST_METHOD"] == "POST")\\check for the form method
{
session_start();\\start the session
if(!empty($_POST["username"]))
{
if(!empty($_POST["password"]))
{\\ if the username and password is not empty,then execute the query
$res=("SELECT * FROM personal WHERE username='".$username."' password='".$password."') or die(mysqli_error());\\get the row value accoring to the input username and password
if(mysqli_num_rows($res) == 1)\\to check the number of rows, if it is 1 then execute the loop
{
$row = mysqli_fetch_array($res,MYSQLI_ASSOC);
$user = $row['username'];
$pass = $row['password'];\\assign the row values to the variables
if ($password != $pass)
{
echo"Please Register your details";
} \\if not match
else{
header("Location:home.php");
}\\else goto home page
}
else{
echo"Enter the Valid Password";\\error message
}
}
else {
echo"Enter the Valid Username";\\error message
}
}
mysqli_free_result($res);
}
mysqli_close($con);\\close connection
我的html表单是
<!DOCTYPE HTML>
<html>
<head>
<title>Sign-In</title>\\title of the page
</head>
<body id="body-color">
<div id="Sign-In">
<fieldset style="width:30%"><legend>LOG-IN</legend>\\field setup
<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">\\open form tag
Username: <br><input type="text" name="username" maxlength="50" value="<?php echo $username;?>"><br>\\get user name
Password: <br><input type="password" name="password" maxlength="50"value="<?php echo $password;?>"><br>get the password
<input type="submit" value="Log-In">\post the details
</form>\\close form
</fieldset>
</div>
<p>If you are not a exsiting user go to <a href="reg.php">Register</a></p>\\ link to the next page
</body>
</html>\\close html file
推荐答案
https://codereview.stackexchange.com/ 对于像这样的事情来说会更好。这是完全不清楚你究竟在问什么,因此我只是重构了你的PHP代码,并希望这可以帮助。
https://codereview.stackexchange.com/ would be a better place for stuff like this. It's absolutely unclear what you're actually asking, therefore I just refactored your PHP code and hope this might help.
<?php
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
$username = filter_input(INPUT_POST, "username", FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW);
$password = filter_input(INPUT_POST, "password", FILTER_UNSAFE_RAW);
if ($username && $password) {
try {
$connection = new \mysqli("localhost", "root", "password", "database");
$stmt = $connection->prepare("SELECT `id`, `password` FROM `personal` WHERE `username` = ? LIMIT 1");
$stmt->bind_param("s", $username);
$stmt->execute();
$stmt->bind_result($id, $hash);
$found = $stmt->fetch();
if ($found === true && password_verify($password, $hash)) {
session_start();
}
else {
echo "We either don't know the username or the password was wrong.";
}
$stmt->close();
$connection->close();
}
catch (\mysqli_sql_exception $e) {
echo "An error ocurred while communicating with the database, please hang in there until it's fixed.";
}
}
else {
echo "Please enter a username and a password.";
}
- 使用异常而不是检查返回值每个函数和/或调用其他方法。
- 使用面向对象的代码以提高可读性。
- 使用预准备语句确保没有可能的SQL注入。
- 使用PHP内置的密码功能。 >
- 使用PHP的内置过滤器函数。
- 不要告诉客户真的出了什么问题(未知用户名和/或错误密码)。
- Use exceptions instead of checking the returned values of each function and/or calling additional methods.
- Use object oriented code for better readability.
- Use prepared statements to ensure that no SQL injection is possible.
- Use PHP's built-in password functions.
- Use PHP's built-in filter functions.
- Don't tell the client what really went wrong (unknown username and/or wrong password).
这篇关于如何用mysqli查询验证简单的php登录表单?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
