请参考您要使用其发布变量选择 SQL 查询的用户属性。
类似:
$username =$_POST['username'];
$password = password=$_POST['password'];
$stmt = $db->query("SELECT * FROM users where username='$username' and password= '$password'");
虽然这可能会解决您的问题,但请不要
在生产环境中使用此代码,以防 sql 注入、html 脚本攻击 等
你可以更好地使用Mysqli Prepared statement或者更好地使用PDO。
要清除 html 元素攻击,您可以使用 strip_tags() 函数
例子
$username =strip_tags($_POST['username']);
$password = strip_tags(password=$_POST['password']);
更新答案
使用会话的选项 1
<?php
include '../reg/db.php';
$username = strip_tags($_POST['username']);
$password = strip_tags($_POST['password']);
if ($username == ''){
echo "username is empty";
exit();
}
if ($password == ''){
echo "Password is empty";
exit();
}
$stmt = $db->prepare('SELECT * FROM users where username = :username and password = :password');
$result->execute(array(
':username' => $username, ':password' => $password));
$count = $stmt->rowCount();
$row = $result->fetch();
if( $count == 1 ) {
echo "login sucessful";
// Redirect me to a Dasboard.php to display the login user
echo "<script>window.location='dashboard.php'</script>";
//Initialize a session
session_start()
//Prevent session Fixation Attack using session generated Id;
session_regenerate_id();
// pass users info in a session if things where ok.
// Prevent xss Attack using Htmlspecialchar or htmlentities() functions
$_SESSION['name'] = htmlspecialchars($row['name']);
$_SESSION['username'] = htmlspecialchars($row['username']);
// Do not pass users password in a session
//$_SESSION['password']=htmlspecialchars($row['password']);
}
else {
echo "<font color=red>Either Username or Password is Wrong</font>";
}
?>
在 dashboard.php 上,您现在可以根据您的实现获得以下代码.....
// initialize sessions
session_start();
// the the authenticated users parameters
Name: <?php echo $_SESSION['name']; ?><br>
userName: <?php echo $_SESSION['username']; ?><br>
选项 2 不使用会话
<?php
include '../reg/db.php';
$username = strip_tags($_POST['username']);
$password = strip_tags($_POST['password']);
if ($username == ''){
echo "username is empty";
exit();
}
if ($password == ''){
echo "Password is empty";
exit();
}
$stmt = $db->prepare('SELECT * FROM users where username = :username and password = :password');
$result->execute(array(
':username' => $username, ':password' => $password));
$count = $stmt->rowCount();
$row = $result->fetch();
if( $count == 1 ) {
echo "login sucessful";
// Redirect me to a Dasboard.php to display the login user
//echo "<script>window.location='dashboard.php'</script>";
$name = htmlspecialchars($row['name']);
$username = htmlspecialchars($row['username']);
echo "userame: $username </br>";
echo "Name: $name </br>";
}
else {
echo "<font color=red>Either Username or Password is Wrong</font>";
}
?>
如果您有任何问题,请告诉我。记住代码中的密码没有经过哈希处理。它假定纯文本密码在您的数据库中..