我从http://freestudentprojects.com网上银行。除了登录页面不断显示我的密码和用户名无效之外,一切似乎都正常。
SQL数据库中的任何密码和loginid组合都无法将我登录到管理页面(名为:emplogin.php)。请帮助我了解问题所在。代码和数据库之间的变量和值是否不匹配?
//emplogin.php page begins. Database is at the end of the php script.
<?php
session_start();
include("header.php");
include("dbconnection.php");
if(isset($_SESSION["employeeid"]))
{
header("Location: employeeaccount.php");
}
if(isset($_SESSION["adminid"]))
{
header("Location: admindashboard.php");
}
if(isset($_POST["loginadmin"]))
{
//coding for login the employee account
$result = mysql_query("SELECT * FROM employees
WHERE loginid='$_POST[adminlogin]' AND password='$_POST[adminpass]'");
if(mysql_num_rows($result) == 1)
{
$_SESSION["adminid"] =$_POST["adminlogin"];
header("Location: admindashboard.php");
}
else
{
$logininfo = "Invalid Username or password entered";
}
}
if(isset($_POST["loginemp"]))
{
//coding for login the employee account
$result = mysql_query("SELECT * FROM employees
WHERE loginid='$_POST[emplogin]' AND password='$_POST[emppassword]'");
if(mysql_num_rows($result) == 1)
{
$_SESSION["employeeid"] =$_POST["emplogin"];
header("Location: employeeaccount.php");
}
else
{
$logininfo1 = "Invalid Username or password entered";
}
}
?>
<div id="templatemo_main">
<p class="welcome_text">"<strong>Administrator and Employee Login page.</strong>"</p>
<div class="col_w420 float_l">
<div></div>
<h2>Administrator Login page</h2>
<div>
<form id="form2" name="form1" method="post" action="">
<p>
<label for="adminlogin" class="leftal"><strong>Loginid</strong></label>
<input name="adminlogin" type="text" id="adminlogin" size="40" class="rightal"/>
</p>
<p class="cleaner_h50" id="password2">
<label for="adminpass" class="leftal"><strong>password</strong></label>
<input name="adminpass" type="password" id="adminpass" class="rightal" size="40" />
</p>
<p class="cleaner_h50"> <font color="#FF0000"><b><?php echo $logininfo; ?></b></font></p>
<p class="cleaner_h50">
<input name="loginadmin" type="submit" class="submit_btn float_r" id="loginadmin" value="Click here to Login" />
</p>
</form>
</div>
<h2>Employee Login page</h2>
<div>
<form id="form1" name="form1" method="post" action="">
<p>
<label for="emplogin" class="leftal"><strong>Loginid</strong></label>
<input name="emplogin" type="text" id="emplogin" size="40" class="rightal"/>
</p>
<p class="cleaner_h50" id="password">
<label for="emppassword" class="leftal"><strong>password</strong></label>
<input name="emppassword" type="password" id="emppassword" class="rightal" size="40" />
</p>
<p class="cleaner_h50"> <font color="#FF0000"><b><?php echo $logininfo1; ?></b></font></p>
<p class="cleaner_h50">
<input name="loginemp" type="submit" class="submit_btn float_r" id="loginemp" value="Click here to Login" />
</p>
</form>
</div>
<div class="button float_r"></div>
</div>
<div class="cleaner"></div>
</div> <!-- end of main -->
<div id="templatemo_main_bottom"></div> <!-- end of main -->
<?php
include("footer.php");
?>
//emplogin.php page ends
以下是脚本的数据库:
CREATE TABLE IF NOT EXISTS `employees` (
`empid` int(10) NOT NULL AUTO_INCREMENT,
`employee_name` varchar(25) NOT NULL,
`loginid` varchar(25) NOT NULL,
`password` varchar(25) NOT NULL,
`emailid` varchar(30) NOT NULL,
`contactno` varchar(30) NOT NULL,
`createdat` date NOT NULL,
`last_login` datetime NOT NULL,
PRIMARY KEY (`empid`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=313800 ;
--
-- Dumping data for table `employees`
--
INSERT INTO `employees` (`empid`, `employee_name`, `loginid`, `password`, `emailid`, `contactno`, `createdat`, `last_login`) VALUES
(313786, 'soudhabanu', '445545', '125487', 'soudha_ban@52yahoo.com', '9535543313', '2012-12-15', '2012-12-03 11:27:00'),
(313787, 'mahesh', 'mahesh', 'qwert', 'mahesh@gmail.com', '98478872783', '0000-00-00', '0000-00-00 00:00:00'),
(313788, 'jyothi', '3535355', '3636', 'jyothi@yahoo.com', '95425422424', '2013-01-02', '0000-00-00 00:00:00'),
(313791, 'admin', 'admin', 'admin', 'admin', 'admin', '2013-01-12', '2013-01-12 00:00:00'),
(313798, 'raj', 'rajkiran', '123456', 'abc@gmail.com', '9874563210', '2013-02-02', '0000-00-00 00:00:00'),
(313799, 'peter king', 'emp', 'emp', 'emp@gmail.com', '987456321', '2013-02-09', '0000-00-00 00:00:00');
以下代码:
"SELECT * FROM employees
WHERE loginid='$_POST[adminlogin]' AND password='$_POST[adminpass]'"
不正确
这个问题与字符串连接有关,你可以这样构建字符串:
$sql= sprintf("SELECT * FROM employees WHERE loginid ='%s' AND password='%s'",
mysql_real_escape_string($_POST['adminlogin']),
mysql_real_escape_string($_POST['adminpass']));
使用mysql_real_escape_string
来避免sql注入,如果有机会,应该使用准备好的语句更新到mysqli。
if(mysql_num_rows($result) == 1)
返回false,可能性很小:
- 您的连接甚至不成功
mysql_query
返回false,因此mysql_num_rows
失败- 您没有得到任何结果,返回0条记录
以下是几种方法:
使用mysql_num_rows
if(isset($_POST["loginemp"]))
{
$sql= sprintf("SELECT * FROM employees WHERE loginid ='%s' AND password='%s'",
mysql_real_escape_string($_POST['emplogin']),
mysql_real_escape_string($_POST['emppassword']));
//coding for login the employee account
$result = mysql_query($sql);
echo 'sql = '.$sql;
echo 'mysql_num_rows() = ' .mysql_num_rows($result);
if(mysql_num_rows($result) > 0)
{
$_SESSION["employeeid"] =$_POST["emplogin"];
header("Location: employeeaccount.php");
}
else
{
$logininfo = "Invalid Username or password entered";
}
}
使用mysql_fetch_row
if(isset($_POST["loginemp"]))
{
$sql= sprintf("SELECT * FROM employees WHERE loginid ='%s' AND password='%s'",
mysql_real_escape_string($_POST['emplogin']),
mysql_real_escape_string($_POST['emppassword']));
//coding for login the employee account
$result = mysql_query($sql);
echo 'sql = '.$sql;
if (mysql_fetch_row($result)) {
$_SESSION["employeeid"] =$_POST["emplogin"];
header("Location: employeeaccount.php");
} else {
$logininfo = "Invalid Username or password entered";
}
}
我添加了更多的代码来显示应该测试的sql,以及结果计数。
如果遇到更多问题,可以使用COUNT(*)
并检查返回的值。
您已经为这段代码挣扎了几天,现在您必须学习一些基本的php调试,因为php在帮助您发现问题方面不是很复杂。
总是尝试打印、记录、值等。。。