问题描述
我想让我的代码检查用户名和密码是否存在于我的数据库中。
它的工作硬编码,但我想要做一个数据库。现在这是我有:
I want my code to check if the username and password exist in my database.It does work hardcoded, but I want to do it with a database.Right now this is what I have:
if(isset($_POST["name"], $_POST["password"]))
{
$name = $_POST["name"];
$password = $_POST["password"];
$result1 = mysql_query("SELECT password FROM Users WHERE username = '".$name."'");
$result2 = mysql_query("SELECT username FROM Users WHERE password = '".$password."'");
if($name == $result2 && $password == $result1)
{
$_SESSION["logged_in"] = true;
$_SESSION["naam"] = $name;
}
else
{
echo'The username or password are incorrect!';
}
}
问题出现在 result1 / 2
part我想,因为当我在我的网站使用正确的用户名和密码时,它给出了不正确的消息。
The problem is in the result1/2
part I think, cause when I use the right username and password in my site it gives the incorrect message.
该查询也工作了,在PHPmyAdmin中尝试它,但没有 $ name
部分,我用用户名替换它
Oh yes and the query works too, tried it in PHPmyAdmin but then without the $name
part which I replaced it with the username
推荐答案
您可以使用 mysql_num_rows()
并结合查询 - 查看脚注
You can use mysql_num_rows()
and combine your query - See footnotes
if(isset($_POST["name"], $_POST["password"]))
{
$name = $_POST["name"];
$password = $_POST["password"];
$result1 = mysql_query("SELECT username, password FROM Users WHERE username = '".$name."' AND password = '".$password."'");
if(mysql_num_rows($result1) > 0 )
{
$_SESSION["logged_in"] = true;
$_SESSION["naam"] = $name;
}
else
{
echo 'The username or password are incorrect!';
}
}
为了使您的代码更安全,使用:
In order to make your present code a bit more secure, use:
$name = stripslashes($_POST["name"]);
$name = mysql_real_escape_string($_POST["name"]);
$password = stripslashes$_POST["password"]);
$password = mysql_real_escape_string$_POST["password"]);
,但请查看以下关于使用预准备语句和密码散列的链接。
but do look at the links below about using prepared statements and password hashing.
脚注:
Footnotes:
您的现有代码向开放。使用 ,或。请访问这些链接了解详情。
Your present code is open to SQL injection. Use prepared statements, or PDO with prepared statements. Visit those links for more information.
我注意到您可能以纯文本格式存储密码。
I noticed you may be storing passwords in plain text. If this is the case, it is highly discouraged.
如果你是一个LIVE网站,你最终会被黑客入侵。
If you are and this is a LIVE site, you will eventually get hacked.
我建议您使用或PHP 5.5的函数。对于PHP& 5.5使用。
I recommed you use CRYPT_BLOWFISH or PHP 5.5's password_hash()
function. For PHP < 5.5 use the password_hash() compatibility pack
.
mysql _ *
函数弃用通知:
此扩展程序自PHP 5.5.0起已不推荐使用,建议不要将新代码写入它将在未来被删除。相反,或 PDO_MySQL 扩展名。另请参见。
These functions allow you to access MySQL database servers. More information about MySQL can be found at » http://www.mysql.com/.
MySQL的文档可以在»。
Documentation for MySQL can be found at » http://dev.mysql.com/doc/.
编辑
尝试替换
if(mysql_num_rows($result1) > 0 )
{
$_SESSION["logged_in"] = true;
$_SESSION["naam"] = $name;
}
else
{
echo 'The username or password are incorrect!';
}
与:
while($row=mysql_fetch_assoc($result1))
{
$check_username=$row['username'];
$check_password=$row['password'];
}
if($username == $check_username && $password == $check_password){
echo "Matches.";
}
else{
echo "No match.";
}
这篇关于PHP mySQL检查用户名和密码是否在数据库中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!