这是登录名的php:
<?php
// Get user input values
$username = $_POST['user'];
$password = $_POST['pass'];
// Protect againts sql injection
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
//connect to the database and selsct database
mysql_connect("localhost", "root", "//im hiding the password");
mysql_select_db("test");
//Query the database for user
$result = mysql_query("SELECT * FROM users WHERE username = '" . $username . "' && password = '" . $password . "'") or die("Failed to query database " . mysql_error());
$row = mysql_fetch_array($result);
if ($row['username'] == $username && $row['password'] == $password) {
echo "Login Successful Welcome: " . $row['username'];
} else {
echo "Invalid Username or Password";
}
这是html:
<html>
<head>
<meta charset="UTF-8" />
<title>Simple Login</title>
</head>
<body>
<h1 style="text-align:center;">Simple Login</h1>
<div id="wrapper">
<form style="text-align:center;" action="process.php" method="post">
Username:
<input type="text" name="user" />
<br />Password:
<input type="password" name="pass" />
<br />
<input type="submit" name="submit" value="Login" />
</div>
</form>
</body>
<html>
有人能告诉我,如果用户名和密码正确,php为什么不检查数据库吗。哦,当你在用户名和密码框里什么都不放时,它会让你登录!
这:
$password = mysql_real_escape_string($password);
//connect to the database and selsct database
mysql_connect("localhost", "root", "//im hiding the password");
mysql_real_escape_string()
需要到DB的活动连接,但直到AFTER才进行该连接。因此,m_r_e_s()
将为失败返回布尔值FALSE,然后在查询中盲目使用该值。字符串上下文中的布尔false是一个零长度字符串,因此您的查询将变成
SELECT ... WHERE username='' && password=''
请注意,mysql_*()
函数已经过时,现在已从PHP中删除。您应该不要出于任何原因在任何地方使用它们。