问题是,如果$_POST['username']
包含数据库中存在的用户名,则脚本运行良好。如果用户名键入错误,或者除了在数据库中找到的内容之外,还键入了其他内容,那么它就会锁定。
有没有一种方法可以将SELECT
构造为"else"类型的语句,当出现拼写错误时,它会"执行此操作"。。。
提前感谢
include('includes/config.php');
if($_REQUEST['do'] == 'login') {
$postusername = $_POST['username'];
$result = mysqli_query($con,"SELECT * FROM $sqlusers WHERE
username = '$postusername'");
while($row = mysqli_fetch_array($result))
{
if($_POST['username'] == $row['username'] &&
$_POST['password'] == $row['password']){
$logged_username = $row['username'];
$_SESSION['username']= $logged_username;
$_SESSION['active']=1;
session_write_close;
//to redirect back to "index.php" after logging out`
header("location:/index.php");
}
else {
header("Location:login.php?errorMssg=".urlencode("Your Login
Information is incorrect!!"));
}
}
}
试试这个:请查看我所做的更改。。。
<?php
include('includes/config.php');
if($_REQUEST['do'] == 'login') {
//check if username and password set
if(isset($_POST['username']) && isset($_POST['password'])){
$postusername = mysqli_real_escape_string($_POST['username']);
$postpassword = mysqli_real_escape_string($_POST['password']);
$result = mysqli_query($con,"SELECT * FROM $sqlusers WHERE username = '$postusername' and password = '$postpassword' ");
if(mysqli_num_rows($result) > 0){
$logged_username = $postusername;
$_SESSION['username']= $postusername;
$_SESSION['active']=1;
session_write_close;
//to redirect back to "index.php" after logging out`
header("location:/index.php");
exit;
}
else {
header("Location:login.php?errorMssg=".urlencode("Your Login
Information is incorrect!!"));
exit;
}
}else{
header("Location:login.php?errorMssg=".urlencode("Enter Username and Password"));
exit;
}
}
更新:编制报表
<?php
include('includes/config.php');
if($_REQUEST['do'] == 'login') {
//check if username and password set
if(isset($_POST['username']) && isset($_POST['password'])){
$stmt = mysqli_prepare($con,"SELECT * FROM $sqlusers WHERE username = ? and password = ? ");
mysqli_stmt_bind_param($stmt, 'ss', $_POST['username'], $_POST['password']);
mysqli_stmt_execute($stmt);
mysqli_stmt_store_result($stmt);
if(mysqli_stmt_num_rows($stmt) > 0){
$logged_username = $postusername;
$_SESSION['username']= $postusername;
$_SESSION['active']=1;
session_write_close;
//to redirect back to "index.php" after logging out`
header("location:/index.php");
exit;
}
else {
header("Location:login.php?errorMssg=".urlencode("Your Login
Information is incorrect!!"));
exit;
}
}else{
header("Location:login.php?errorMssg=".urlencode("Enter Username and Password"));
exit;
}
}
如果查询失败,则返回false,因此可以使用类似的代码
$result = mysqli_query($conn,$sql);
然后像
if ($result != false)
do some crap
else
do some other crap
在代码中查找SQL错误的标准似乎是
$result = mysqli_query($con,"SELECT * FROM $sqlusers WHERE username = '$postusername'") or die (mysqli_error($con));
但我不知道你是不是这么问的。
关于的一个相关注记
您的脚本容易受到SQL注入的攻击。请修复它http://php.net/manual/en/security.database.sql-injection.php
- 首先,你应该逃离用户发送的数据,以抵御黑客sql注入攻击
- 在将用户的密码存储到数据库之前,您应该将其保存并散列。阅读以下内容:http://php.net/manual/en/faq.passwords.php
- 如果数据库结果为空(没有给定登录名的用户),您还没有写下该怎么办的部分
试试这个:
<?php
include('includes/config.php');
if ($_REQUEST['do'] == 'login')
{
$postusername = mysqli_real_escape_string($_POST['username']);
$result = mysqli_query($con, "SELECT * FROM $sqlusers WHERE username = '$postusername'");
if (!$result)
{
// handle error
}
$row = mysqli_fetch_array($result);
if ($row && $_POST['password'] == $row['password'])
{
$logged_username = $row['username'];
$_SESSION['username'] = $logged_username;
$_SESSION['active'] = 1;
session_write_close;
//to redirect back to "index.php" after logging out`
header("location:/index.php");
}
else
{
header("Location:login.php?errorMssg=" . urlencode("Your Login Information is incorrect!!"));
}
}
您的查询是:
SELECT * FROM $sqlusers WHERE username = '$postusername'
正如您的问题中所提到的,如果"nothing=Y",即,如果表中没有用户名与发布的用户名匹配,则查询将返回一个空的结果集。在简单的PHP术语中,"如果db=username中没有任何内容"被翻译为:
if(mysqli_num_rows($result) == 0) { // no rows matches the posted username (nothing = Y, in your words)
//handle your error here
} else { // ie, X = Y in your words
// the while loop to check password goes here
}