我正在尝试创建一个登录系统,但由于某种原因,我的代码中有一个错误,我似乎无法找出它是什么。
<?php
include "connect.php";
?>
<body>
<?php
if(isset($_POST['submit'])){
$username = $_POST['email'];
$password = $_POST['password'];
$result = mysql_query($con,"SELECT * FROM users WHERE username=$username AND password=$password");
$num = mysql_num_rows($result);
if($num == 0){
echo "Bad login, go <a href='login.php'>back</a>.";
}else{
session_start();
$_SESSION['username'] = $username;
header("Location: index.php");
}
}
?>
<div class="container">
<form action='signin.php' method='POST' class="form-signin" >
<h2 class="form-signin-heading">Please sign in</h2>
<input type="text" class="input-block-level" placeholder="Email address" name="email">
<input type="password" class="input-block-level" placeholder="Password" name="password">
<label class="checkbox">
<input type="checkbox" value="remember-me"> Remember me
</label>
<button class="btn btn-large btn-primary" type="submit" name="submit" value="Login">Sign in</button>
</form>
这些是提交时的错误:
Warning: mysql_query() expects parameter 1 to be string, object given in C:'xampp-portable'htdocs'bootstrap'signin.php on line 71
Warning: mysql_num_rows() expects parameter 1 to be resource, null given in C:'xampp-portable'htdocs'bootstrap'signin.php on line 72
Bad login, go back.
1)混淆了mysql &mysqli查询。
$result = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'");
and
$result = mysqli_query($con,"SELECT * FROM users WHERE username='$username' AND password='$password'");
2)这个代码是非常危险的sql注入。在正式使用之前,您需要对其进行消毒。3)
for the success case, set a session id sth like that: $session_id = session_id();
reverse that:
$username=$_SESSION["username"];
and use both variables in redirection:
header ("Location: index.php?username=$username&session_id=$session_id");