我有一个使用电子邮件和密码设置的数据库,我正在尝试使用以下代码来检查用户名(电子邮件)和密码以确保它们正确无误,如果它们不匹配,则将它们发送到/cms,则会出现一个弹出框。我只是突然开始工作。您能看到导致这种情况的任何问题吗?
session_start();
require_once("../mydbpassword.php");
if($_POST['username']) {
$username = $_POST['username'];
$password = $_POST['password'];
$sql = "SELECT * FROM agents WHERE email = '$username' AND pword = '$password'";
$result = mysqli_query($mysqli,$sql);
$email = $row['email'];
$pword = $row['pword'];
if(($username != $email) || ($password != $pword)) {
echo'<script type="text/javascript">
window.alert("Your login information is wrong, try again!");
window.location="/cms/login"
</script>';
}
else {
$row = mysqli_fetch_assoc($result);
$_SESSION['admin'] = $row['$email'];
header("Location: /cmsS");
exit();
}
}
变量可以设置,但为空。
if($_POST['username'])
由
if (!empty($_POST['username']))
防止MySQL注入,仅获取密码。
$sql = "SELECT * FROM agents WHERE email = '$username' AND pword = '$password'";
由
$sql = 'SELECT password FROM agents WHERE email = "'.mysql_real_escape_string($username).'"';
正确的 MySQL 字符串关联
$result = mysqli_query($mysqli,$sql);
由
$result = mysqli_fetch_assoc(mysqli_query($mysqli,$sql));
以及真正有意义的支票
if ($password != $pword || empty($pword)) {
echo'<script type="text/javascript">
window.alert("Your login information is wrong, try again!");
window.location="/cms/login"
</script>';
}
切换
$result = mysqli_query($mysqli,$sql);
自
$result = mysqli_fetch_assoc(mysqli_query($mysqli,$sql));
此外,您还有很多事情需要修复。像散列密码,安全查询,更好的重定向/错误系统(js可以被禁用或容易被黑客入侵/更改)。