我不明白这段代码有什么问题,我遵循了一个旧教程,它可能有点过时,所以我不确定出了什么问题。数据库的所有名称都是正确的,函数应该没问题,我已经查看了一段时间的代码,看不出出了什么问题。
<?php
error_reporting (E_ALL ^ E_NOTICE);
session_start();
?>
<!DOCTYPE html>
<head>
</head>
<body>
<?php
$form ="<form action='./login.php' method='post'>
<table>
<tr>
<td>Username:</td>
<td><input type='text' name='user' /></td>
</tr>
<tr>
<td>Password:</td>
<td><input type='password' name='password' /></td>
</tr>
<tr>
<td></td>
<td><input type='submit' name='loginbtn' value='Login'/></td>
</tr>
</table>
</form>";
if ($_POST['loginbtn']) {
$user = $_POST['user'];
if ($user) {
if ($password) {
require("connect.php");
$password = md5(md5("fghxjks".$password."HGJDjbCKGC"));
$query = mysql_query("SELECT * FROM userlogins WHERE username='$user'");
$numrows = mysql_num_rows($query);
if ($numrows == 1) {
$row = msql_fetch_assoc($query);
$dbuser = $row['username'];
$dbpass = $row['password'];
if ($password == $dbpass) {
$_SESSION['userid'] = $dbid;
$_SESSION['username'] = $dbuser;
echo "You have been logged in as <b>$dbuser</b>.";
}
else {
echo "The password you entered is not correct.";
}
}
else {
echo "The username you entered was not found. $form";
}
mysql_close();
}
else {
echo "You must enter your password. $form";
}
}
else {
echo "You must enter your username. $form";
}
}
else {
echo $form;
}
?>
</body>
未设置$password
变量。您应该添加:
$password = $_POST['password'];
if ($password)
之前
此外,$user
来自用户输入($_POST['user']
)。切勿将用户输入直接放在mysql_query
中,因为它会使查询容易受到SQL注入的影响。在这种情况下,攻击者将无法执行太多操作,因为mysql_query
不支持多个查询。但您应该始终在用户输入上使用mysql_real_escape_string:
$query = mysql_query('SELECT * FROM userlogins WHERE username='''.mysql_real_escape_string($user).'''');