我有以下代码(php和jquery)用于学生和教师登录(使用相同的形式访问)。在我的系统中,管理员可以创建学生和教师。创建后,详细信息将保存到数据库中。保存的详细信息假定用于登录到他们的管理面板。但是,问题是,当学生或老师想要使用管理员提供的登录详细信息(已保存在数据库表中)登录时,它会显示错误消息:登录失败,请检查您的用户名和密码。(详细信息相同,保存到数据库表中用于登录过程)。这让我头疼。如果有人能告诉我,如果我的代码中有一些错误,我将不胜感激。
login_form.php
<form id="login_form1" class="form-signin" method="post">
<h3 class="form-signin-heading"><i class="icon-lock"></i> Sign in</h3>
<input type="text" class="input-block-level" id="username" name="username" placeholder="Username" required>
<input type="password" class="input-block-level" id="password" name="password" placeholder="Password" required>
<button data-placement="right" title="Click Here to Sign In" id="signin" name="login" class="btn btn-info" type="submit"><i class="icon-signin icon-large"></i> Sign in</button>
<script type="text/javascript">
$(document).ready(function(){
$('#signin').tooltip('show');
$('#signin').tooltip('hide');
});
</script>
</form>
<script>
jQuery(document).ready(function(){
jQuery("#login_form1").submit(function(e){
e.preventDefault();
var formData = jQuery(this).serialize();
$.ajax({
type: "POST",
url: "login.php",
data: formData,
success: function(html){
if(html=='true_teacher') {
$.jGrowl("Loading File Please Wait......", { sticky: true });
$.jGrowl("Welcome to Soch College's E- Learning Management System", { header: 'Access Granted' });
var delay = 1000;
setTimeout(function(){ window.location = 'dasboard_teacher.php' }, delay);
} else if (html == 'true'){
$.jGrowl("Welcome to Soch College's E- Learning Management System", { header: 'Access Granted' });
var delay = 1000;
setTimeout(function(){ window.location = 'student_notification.php' }, delay);
} else {
$.jGrowl("Please Check your username and Password", { header: 'Login Failed' });
}
}
});
return false;
});
});
</script>
login.php
<?php include('admin/dbcon.php');
session_start();
$username = $_POST['username'];
$password = $_POST['password'];
//for student login
$query_student = mysql_query("SELECT * FROM student WHERE username='$username' AND password='$password'");
$count_stu = mysql_num_rows($query_student);
$row_stu = mysql_fetch_array($query_student);
//for teacher login
$query_teacher = mysql_query("SELECT * FROM teacher WHERE username='$username' AND password='$password'")or die(mysql_error());
$count_tea = mysql_num_rows($query_teacher);
$row_tea = mysql_fetch_array($query_teacher);
if( $count_stu > 0 ) {
$_SESSION['id']=$row_student['student_id'];
echo 'true';
}else if( $count_tea > 0 ) {
$_SESSION['id']=$row_teacher['teacher_id'];
echo 'true_teacher';
}
else{
}?>
我认为问题就在这里;
if( $count_stu > 0 ) {
//$_SESSION['id']=$row_student['student_id'];// mistake
$_SESSION['id']=$row_stu['student_id'];
echo 'true';
}else if( $count_tea > 0 ) {
//$_SESSION['id']=$row_teacher['teacher_id'];// mistake
$_SESSION['id']=$row_tea['teacher_id'];
echo 'true_teacher';
}
else{
echo 'Wrong Username Or Password';
}
我同意@Drew Pierce的观点,你应该考虑使用pdo或mysqli。
在直接处理username
和password
等网页中用户提供的数据时,使用准备好的语句至关重要。
您当前的代码对SQL注入是开放的。将mysqli
与已准备的语句一起使用,或将PDO与已准备语句一起使用。
来自Fred:PHP未在mySQL数据库中插入内容:文本、图像、任何