我有一个名为school的MySQL数据库,其设置如下:
schoolID(1),schoolName(school 1),schoolCounty(Buckinghamshire),schoolUsername(school1admin),schoolPassword(school1password)
我目前有一个下拉菜单,显示学校列表,当我在HTML登录表单中键入任何用户名和密码时,我都可以登录。
我似乎无法弄清楚如何设置它,具体取决于学校的选择,取决于所使用的用户名和密码。
例如,如果我选择school1,那么我只能使用school1的用户名和密码。
到目前为止,这是我对index.php的了解:
<?php
require_once 'databaseConnect.php'; // connects to the databse via this file
if ($conn->connect_error) die ($conn->connect_error); // check the connection to the database. If failed, display error
$sql = "SELECT * FROM school";
$result = $conn->query($sql);
$conn->close();
?>
<html>
<body>
<title>EduKode</title>
<div id="login-form-container">
<p>Log In:</p>
<?php
echo'<div id="schoolSelection">';
echo '<select name="schoolName">';
if ($result->num_rows > 0) {
// output data of each row
while($row = $result->fetch_assoc()) {
echo '<option>'. $row["schoolName"]. "<br>";
}
} else {
echo "0 results";
}
echo '</select>';
echo'</div>';
//http://stackoverflow.com/questions/10009464/fetching-data-from-mysql-database-to-html-dropdown-list
?>
<form id="login-form" name="contactform" method="post" action="checkSchoolCredentials.php"> <!-- when submitting the form will call the 'authenticate.php' script.-->
<div class="contact-form">
<label>Username:</label>
<input name="username" type="text"> <!-- students created username field-->
<label>Password:</label>
<input name="password" type="password"> <!-- students created password field-->
</div>
<div id="submit-button">
<input type="submit" name="submit" value="Log In">
</div>
</form>
</div>
</body>
</html>
这用于checkSchoolCredentials.php:
<?php
require_once 'databaseConnect.php'; // connects to the databse via this file
if ($conn->connect_error) die ($conn->connect_error); // check the connection to the database. If failed, display error
if(isset($_POST['submit'])) // if submit button is pressed
{
$username = $_POST['username']; //assigns the value of the input box username to $username
$password = $_POST['password']; //assigns the value of the input box password to $password
$query = "SELECT * FROM school WHERE schoolUsername='$username' AND schoolPassword ='$password'"; // Query the database
$result=mysqli_query($conn, $query);
if(mysqli_num_rows($result) ==1)
{
session_start(); // start session
$_SESSION['auth']='true';
$_SESSION['username'] = $username; // save session as username
header('location:taskSelection.php'); // if correct, redirect to taskSelection.php
}
else
{
header('location:index.php'); // redirect to index.html if incorrect
}
}
$conn->close();
?>
最佳答案
亲密无间,您必须发送学校名称并检查是否设置了所有变量:if (isset($POST['username'],$POST['userpassword'],$POST['schoolName'])
然后只需替换:
$query = "SELECT * FROM school WHERE schoolUsername='$username' AND schoolPassword ='$password'"; // Query the database
与:
$query = "SELECT * FROM school WHERE schoolUsername='$username' AND schoolPassword ='$password' AND schoolName='$schoolName'"; //
现在您必须知道我的查询仍然很糟糕,因为它容易受到sql注入的攻击。您必须使用prepare statements instead:
$sql = "SELECT * FROM school WHERE schoolUsername=? AND schoolPassword = ? AND schoolName=?";
if ($query = $conn->prepare($sql)){
$query->bind_param("s", $username,$password,$schoolName);
$stmt->bind_result($result);
while($stmt->fetch()){
// you can work with $result which is an array containing a line of the results
}