我在这里有这行代码。
java代码:
btnLogin.setOnClickListener(new View.OnClickListener() {
@Override
$public void onClick(View v) {
ArrayList<NameValuePair> postParameters = new ArrayList<NameValuePair>();
postParameters.add(new BasicNameValuePair("username", txtUsername.getText().toString()));
postParameters.add(new BasicNameValuePair("password", txtPassword.getText().toString()));
//String valid = "1";
String response = null;
try {
response = CustomHttpClient.executeHttpPost("http://www.sampleweb.com/imba.php", postParameters);
String res=response.toString();
// res = res.trim();
res= res.replaceAll("''s+","");
//error.setText(res);
if(res.equals("1")){
txtError.setText("Correct Username or Password");
//Intent i = new Intent(CDroidMonitoringActivity.this, MenuClass.class);
//startActivity(i);
}
else {
txtError.setText("Sorry!! Incorrect Username or Password");
}
} catch (Exception e) {
txtUsername.setText(e.toString());
}
}
});
}
<?php
$un=$_POST['username'];
$pw=$_POST['password'];
$user = ‘bduser’;
$pswd = ‘dbpwd’;
$db = ‘phplogin’;
$conn = mysql_connect("localhost","root","");
mysql_select_db($db, $conn);
$query = mysql_query("SELECT * FROM user WHERE username = '$un' AND password = '$pw'");
$result = mysql_query($query) or die("Unable to verify user because : " . mysql_error());
if(mysql_num_rows($result) == 1)
echo 1; // for correct login response
else
echo 0; // for incorrect login response
?>
我对这个代码有一个问题。在我的android代码,当我试图改变res.equals包含。它总是说正确的密码,但如果我不更改它,它会说不正确的密码。我不知道有什么错误在我的java代码或在我的php代码。真的需要帮助。
看起来错误在PHP代码中
更改以下行:-
:
$query = mysql_query("SELECT * FROM user WHERE username = '$un' AND password = '$pw'");
:
$query = "SELECT * FROM user WHERE username = '$un' AND password = '$pw'";
你还应该考虑做一些改变来防止SQL注入:-
$query = sprintf("SELECT * FROM user WHERE username =
WHERE username='%s' AND password='%s'",
mysql_real_escape_string($un),
mysql_real_escape_string($pw));
在代码中你正在做mysql_query(mysql_query())我相信。
第一次尝试:
txtError.setText(res);
顺便说一下:SQL注入。如果输入密码:
' UNION SELECT * FROM user WHERE username='admin
将PHP更改为'select count(*)'并检查结果的实际数值。这样,您就不会尝试与可能的NULL进行比较,这会导致行计数。
还要单独检查您的PHP,以确保您从ECHO获得正确的响应。
请注意,你的android代码将阻塞,直到它得到一个结果。你应该在一个线程中重新编码它。否则,如果SQL太慢,设备将抛出'non - responsive'并退出。
EDIT:添加一些代码-稍微不同的是,它检查是否设置了一个特定的值,而不是是否返回了任何东西。同样的想法,多几行代码。
/** Authenticate a login.
*
* @param string $Username
* @param string $Password
* @return int
*/
function login( $Username, $Password )
{
Logger::DEBUG( "Login attempt by '" . $Username . "'");
try
{
$conn = DBConnection::_getConsole2DB();
$query = "select LoginId, UserId, RoleId, ProjectMask, RestrictionMask from Users where LoginId = ? and Password = ? and Active = 1";
$st = $conn->prepare( $query );
$st->bindParam( 1, $Username );
$st->bindParam( 2, $Password );
$st->execute();
$row = $st->fetch( PDO::FETCH_ASSOC );
if( !isset( $row[ 'UserId' ])) return 0;
$this->userId = $row[ 'UserId' ];
$this->roleId = $row[ 'RoleId' ];
$this->projectMask = $row[ 'ProjectMask' ];
$this->restrictionMask = $row[ 'RestrictionMask' ];
$_SESSION[ 'userId' ] = $this->userId;
$_SESSION[ 'roleId' ] = $this->roleId;
$_SESSION[ 'projectMask' ] = $this->projectMask;
$_SESSION[ 'restrictionMask' ] = $this->restrictionMask;
$_SESSION[ 'loginId' ] = $row[ 'LoginId' ];
}
catch( PDOException $e )
{
Logger::PDO_ERROR( $e );
return -1; // error
}
return 1;
}
这使用了PDO,所以与你所尝试的有一些小的语法差异。