我用PHP和MySQL数据库创建了一个登录页面。一切都很好,除了当我用正确的用户名和错误的密码登录时,它仍然把我发送到登录页面,并没有让我在登录页面。
<?php
$user = $_POST['user'];
$pass = stripslashes($_POST['pass']);
$pass = mysql_real_escape_string($pass);
$pass = md5($pass);
$connect = mysql_connect("$host", "$ad_user", "$ad_pass") or die("Unable to connect to MySQL");
$db = mysql_select_db("$db", $connect) or die("Could not select examples");
$query = "SELECT * FROM members WHERE username='$user'" or die("error query");
$result = mysql_query($query);
$count = mysql_num_rows($result);
$p = mysql_fetch_array($result);
If($count == 1){
If($p['password'] == $pass){
session_start();
$_SESSION['loggedin'] = 1;
$_SESSION['username'] = $user;
header('Location: //members.polydodo.com');
}else{
header('Location: ../login.php?error');
}
}else{
header('Location: ../login.php?error');
}
mysql_close($connect);
?>
我看不出有任何错误,我已经仔细检查了密码加密等的顺序。使用错误的用户名会重定向到错误的页面,不会让我登录,但不管密码如何,它都会用正确的用户名登录我。
注:我知道MySQL和PDO,但还没有时间去研究,所以我坚持使用标准的MySQL,直到我做。
问题在下面一行
$query = "SELECT * FROM members WHERE username='$user'" or die("error query");
$result = mysql_query($query);
改为
$query = "SELECT * FROM members WHERE username='$user' LIMIT 1";
$result = mysql_query($query) or die(mysql_error());
更新:
也直接在查询中使用密码进行身份验证,如
$query = "SELECT * FROM members WHERE username='$user' AND password='$pass' LIMIT 1";
$result = mysql_query($query) or die(mysql_error());
注意: mysql_*
不推荐使用mysqli_*
或PDO
同时使用密码字段
$query = "SELECT * FROM members WHERE username='$user' AND password='$pass'" or die("error query");
$result = mysql_query($query);
$count = mysql_num_rows($result);
//$p = mysql_fetch_array($result);
if($count == 1){
session_start();
$_SESSION['loggedin'] = 1;
$_SESSION['username'] = $user;
header('Location: //members.polydodo.com');
}else{
header('Location: ../login.php?error');
}
尝试在查询中传递这两个值。你不需要在