我有以下代码,但我无法让用户登录他们的帐户,在数据库中,其存储的密码长度为35。我var_dump密码变量以查看插入其中的内容,它与存储在数据库中的密码值相同。任何帮助,感激不尽
<?php
include_once("config.php");
session_start();
$message = "";
if (isset($_POST['username'])) {
$username = ($_POST['username']);
$password =md5($_POST['password']);
$password = ($password);
$sql = "SELECT * FROM user WHERE username = '$username' && password='$password'";
$query = mysqli_query($conn, $sql);
$row = mysqli_fetch_row($query);
$userid = $row[0];
$checkuser = $row[5];
$checkpassword = $row[4];
$type = $row[1];
$name = $row[2];
$surname = $row[3];
if ($username != $checkuser || $password != $checkpassword) {
$message = " username or password entered is incorrect.";
}
if ($username == $checkuser && $password == $checkpassword) {
$_SESSION['username'] = $username;
$_SESSION['type'] =$type;
$_SESSION['name'] = $name;
$_SESSION['surname'] = $surname;
$_SESSION['userid'] = $userid;
if($_SESSION['type'] == "admin") {
header("Location: adminindex.php");
} else {
header("Location: index.php");
}
}
}
?>
您没有使用预准备语句这一事实可能存在也可能不存在问题,但您肯定会让自己对 SQL 注入持开放态度。
预准备语句示例:
$stmt = $conn->prepare("SELECT * FROM user WHERE username =? AND password=?");
$stmt->bind_param("ss", $username, $password);
$stmt->execute();
请参阅:http://php.net/manual/en/mysqli.prepare.php