简单问题:尝试创建一个php登录表单。我的数据库连接成功。我目前在mySQL中有1表行。那么为什么我的$numrow变量返回0/为什么我的用户名在我的数据库中不被识别?我错过了什么?请帮助。我不是php专家。
谢谢!
<?php
include 'includes/top.php';
?>
<?php
error_reporting(0);
session_start();
$connect = mysql_connect("localhost", "hostname", "password") or die ("Couldn't connect!");
mysql_select_db("djones33") or die ("Couldn't find db!");
$query = mysql_query("SELECT * FROM tm_user WHERE username='$username'");
$numrows = mysql_num_rows($query);
echo $numrows;
if ($numrows!=0) {
while ($row = mysql_fetch_assoc($query)) {
$db_username = $row['username'];
$db_password = $row['password'];
}}
if (isset($_POST["username"])) {
$username = $_POST["username"];
//they did, so now, has the username AND password been entered?
if ((isset($_POST["username"])) && (isset($_POST["password"]))){
//they have, now, is the username correct?
if ($_POST["username"]!=$db_username && $_POST["username"]!=""){
$uerror="<p class='error'>* The username you entered is not correct.</p>";
//echo "$uerror";
} else {
echo "";
}
//now, is the password correct?
if ($_POST["password"]!=$db_password && $_POST["password"]!=""){
$perror="<p class='error'>* The password you entered is not correct.";
//echo "$perror";
} else {
echo "";
}
//they haven't entered a username, so...
if ($_POST["username"]=="") {
$emptyu="<p class='error'>* You must enter a username.</p>";
//echo $emptyu;
}
//they haven't entered a username, so...
if ($_POST["password"]=="") {
$emptyp="<p class='error'>* You must enter a password.</p>";
//echo $emptyu;
}
//if the username and password are correct, give them the welcome page!
if ($_POST["username"]==$db_username && $_POST["password"]==$db_password) {
echo "";
$_SESSION['username']=$db_username;
//$welcome = "Welcome, ".$user. "! You have successfully logged in.";
}
}
}
?>
<h2><span class="green_title">Welcome</span><br><span class="title_size">to YOUR.to-do!</span></h2>
<section id="login_area">
<div id="login_title">
<p>Login</p>
</div>
<div id="form_area">
<form action="login.php" method="post">
<?php echo $uerror; echo $emptyu;?>
<input type="text" name="username" placeholder="username" id="username"/><br/>
<?php echo $perror; echo $emptyp;?>
<input type="password" name="password" placeholder="password" id="password"/><br/>
<input type="submit" name="submit" value="LOGIN" class="button"/>
</form>
</div>
</section>
<footer>
<p>New user? | <a href="register.php">Register</a></p>
</footer>
</div>
</div>
</body>
</html>
看一下PHP内置的密码散列函数和PDOStatement类。当您的用户注册时,请确保在将密码保存到数据库之前对他们提交的密码使用password_hash()。当您查询数据库时,请使用PDOStatements和绑定参数来保护站点免受SQL注入攻击。
你的登录脚本应该看起来像这样:
$db = new PDO('mysql:host=localhost;dbname=Database_Name', 'Username', 'Password');
$ps = $db->prepare("SELECT * FROM tm_user WHERE username = (:username)");
$ps->bindParam(":username", $_POST["username"]);
$ps->execute();
$result = $ps->fetch(); // $result is an array representing the row in tm_user with the submitted username
if(count($result) === 0)
{
// username not found
}
else if(password_verify($_POST["password"], $result["password"]) === false)
{
// password is incorrect
}
else if(password_verify($_POST["password"], $result["password"]) === true)
{
// give them the welcome page!
}
请记住:password_verify()只有在将密码存储到数据库之前使用password_hash()才能工作。