PHP 和 SQL 遇到问题

【问题标题】:having trouble with PHP and SQLPHP 和 SQL 遇到问题
【发布时间】:2016-06-04 13:44:36
【问题描述】:

我试图在 php 中显示错误消息($error="用户名或密码无效"; ) 当用户名或密码不在数据库中时。但是甚至没有运行代码(在 index.php 中单击登录,就会显示错误消息。谢谢 :) 

<?php

    session_start(); // Starting Session
    $error=''; // Variable To Store Error Message
    if (isset($_POST['submit'])) {

    }

    if (isset($_POST['submit'])) {



    // Define $username and $password
     $name=$_POST['username'];
     $pass=$_POST['password'];

    $servername = "localhost";
    $username = "root";
    $password = "root";
    $dbname = "company";

    // Create connection
    $conn = new mysqli($servername, $username, $password, $dbname);
    // Check connection


    if ($conn->connect_error) {
        die("Connection failed: " . $conn->connect_error);
    } 

    $sql = "SELECT id, username, password FROM login";
    $result = $conn->query($sql);


    if ($result->num_rows > 0) {
        // output data of each row
        while($row = $result->fetch_assoc()) {
            //echo "id: " . $row["id"]. " - Name: " . $row["username"]. " " . $row["password"]. "<br>";
            if($name==$row["username"] && $pass== $row["password"]){
                header("location: profile.php"); // Redirecting To Other Page
            }else{
                $error="Username or Password is invalid";
            }

        }

    }




         else {
        echo "Server is down";
    }
    $conn->close();
    }

    ?>

我的 index.php

<?php
include('../php/login.php'); // Includes Login Script

if(isset($_SESSION['login_user'])){
header("location: ../php/profile.php");
}
?>
<!DOCTYPE html>
<html>
<head>
<title>Login Form in PHP with Session</title>
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div id="main">
<h1>PHP Login Session Example</h1>
<div id="login">
<h2>Login Form</h2>
<form action="" method="post">
<label>UserName :</label>
<input id="name" name="username" placeholder="username" type="text">
<label>Password :</label>
<input id="password" name="password" placeholder="**********" type="password">
<input name="submit" type="submit" value=" Login ">
<span><?php echo $error; ?></span>
</form>
</div>
</div>
</body>
</html>

【问题讨论】:

  • 所以即使您干净地打开页面而不是更新它,您也会看到错误?顺便说一句,这是非常不安全的,你应该为你的 sql 使用准备好的语句。
  • 我尝试关闭服务器并重新打开它,谢谢。

标签: php sql


【解决方案1】:

我稍微更新了您的安全性。确保始终验证用户输入。下面的代码对 SQL 注入是安全的。无法注射!也无法进行 HEX 攻击。

<?php
if (!isset($_SESSION)) { session_start(); }

$db_host = "localhost";
$db_user = "root";
$db_pass = "root";
$db_name = "company";

$conn = new mysqli($db_host, $db_user, $db_pass, $db_name);

if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}   

$errmessage = $error = '';

function checkUsername($data) {
    if (preg_match('/[^A-Za-z0-9.]{8,50}/', $data)) { // A-Z, a-z, 0-9, . (dot), min-length: 8, max-length: 50
        $data = false;
    } 
    return $data;
}

function checkPassword($data) {
    if(!preg_match('/^(?=.*\d)(?=.*[A-Za-z])[0-9A-Za-z!@#$%]{8,50}$/', $data)) { // A-Z, a-z, 0-9, !, @, #, $, %, min-length: 8, max-length: 50
        $data = false;
    }
    return $data;
}

if (isset($_POST['submit']) && isset($_POST['username']) && isset($_POST['password'])) {

    $username = $_POST['username'];
    $password = $_POST['password'];

    if (checkUsername($username) === false) {
        $error = "Username is not valid!";
        exit();
    }
    if (checkPassword($password) === false) {
        $error = "Password is not valid!";
        exit();
    }

    $secure_name = bin2hex(htmlspecialchars($username));
    //$secure_pass = hashpassword($securepass); // Hash your passwords!
    $secure_pass = bin2hex(htmlspecialchars($password));

    $sql = "SELECT * FROM login WHERE username = UNHEX('$username') AND password = UNHEX('$password')";
    $result = $conn->query($sql);

    if ($result->num_rows == 1) {
        session_regenerate_id();
        $_SESSION['login_user'] = true;
        header("location: profile.php");
    } else {
        $error = "Username and/or Password is invalid";
    }
    $conn->close();

} else {
    echo "Error";
}
?>

HEX 反对注入的来源:How can I prevent SQL injection in PHP?(Zaffy 的回答)

额外信息:

不要只检查会话登录是否存在,还要检查它的值!

if(isset($_SESSION['login_user'])){
    header("location: ../php/profile.php");
}

必须

if (isset($_SESSION['login_user']) && $_SESSION['login_user'] === true){
    header("location: ../php/profile.php");
    exit();
} else {
    // Loginscript
}

【讨论】:

    【解决方案2】:

    PHP 脚本似乎从数据库中获取了所有用户名/密码对

    $sql = "SELECT id, username, password FROM login";

    稍后在while 循环中,第一对与用户输入不匹配会触发错误消息分配

    【讨论】:

      猜你喜欢
      • 2011-08-27
      • 1970-01-01
      • 2010-12-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2014-12-02
      • 1970-01-01
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode