我有一个名为school的MySQL数据库,其设置如下:
schoolID(1),schoolName(school 1),schoolCounty(Buckinghamshire),schoolUsername(school1admin),schoolPassword(school1password)

我目前有一个下拉菜单,显示学校列表,当我在HTML登录表单中键入任何用户名和密码时,我都可以登录。

我似乎无法弄清楚如何设置它,具体取决于学校的选择,取决于所使用的用户名和密码。

例如,如果我选择school1,那么我只能使用school1的用户名和密码。

到目前为止,这是我对index.php的了解:

<?php

require_once 'databaseConnect.php';  // connects to the databse via this file
if ($conn->connect_error) die ($conn->connect_error); // check the connection to the database. If failed, display error


$sql = "SELECT * FROM school";
$result = $conn->query($sql);


$conn->close();
?>


<html>
    <body>
        <title>EduKode</title>




       <div id="login-form-container">
           <p>Log In:</p>

<?php
echo'<div id="schoolSelection">';
echo '<select name="schoolName">';
if ($result->num_rows > 0) {
// output data of each row
while($row = $result->fetch_assoc()) {
echo '<option>'. $row["schoolName"].  "<br>";
}
} else {
echo "0 results";
}
echo '</select>';

echo'</div>';

//http://stackoverflow.com/questions/10009464/fetching-data-from-mysql-database-to-html-dropdown-list
?>

                <form id="login-form" name="contactform" method="post" action="checkSchoolCredentials.php"> <!-- when submitting the form will call the 'authenticate.php' script.-->
                    <div class="contact-form">

                        <label>Username:</label>
                        <input name="username" type="text"> <!-- students created username field-->

                        <label>Password:</label>
                        <input name="password" type="password"> <!-- students created password field-->
                    </div>
                        <div id="submit-button">
                            <input type="submit" name="submit" value="Log In">
                        </div>
                </form>
        </div>

    </body>
</html>


这用于checkSchoolCredentials.php:

<?php
require_once 'databaseConnect.php';  // connects to the databse via this file
if ($conn->connect_error) die ($conn->connect_error); // check the connection to the database. If failed, display error


if(isset($_POST['submit'])) // if submit button is pressed
{
    $username = $_POST['username']; //assigns the value of the input box username to $username
    $password = $_POST['password']; //assigns the value of the input box password to $password

    $query = "SELECT * FROM school WHERE schoolUsername='$username' AND schoolPassword ='$password'"; // Query the database


    $result=mysqli_query($conn, $query);
    if(mysqli_num_rows($result) ==1)
    {
        session_start(); // start session
        $_SESSION['auth']='true';
        $_SESSION['username'] = $username; // save session as username
        header('location:taskSelection.php'); // if correct, redirect to taskSelection.php

    }
    else
    {
        header('location:index.php'); // redirect to index.html if incorrect


    }

}


$conn->close();

?>

最佳答案

亲密无间,您必须发送学校名称并检查是否设置了所有变量:

if (isset($POST['username'],$POST['userpassword'],$POST['schoolName'])

然后只需替换:

$query = "SELECT * FROM school WHERE schoolUsername='$username' AND schoolPassword ='$password'"; // Query the database


与:

$query = "SELECT * FROM school WHERE schoolUsername='$username' AND schoolPassword ='$password' AND schoolName='$schoolName'"; //


现在您必须知道我的查询仍然很糟糕,因为它容易受到sql注入的攻击。您必须使用prepare statements instead

 $sql = "SELECT * FROM school WHERE schoolUsername=? AND schoolPassword = ? AND schoolName=?";
 if ($query = $conn->prepare($sql)){
   $query->bind_param("s", $username,$password,$schoolName);
   $stmt->bind_result($result);
   while($stmt->fetch()){
    // you can work with $result which is an array containing a line of the results
    }

10-04 15:37