一个数据库有效，第二个无效答案

【问题标题】：one database works and second doesnt一个数据库有效，第二个无效
【发布时间】：2017-02-07 14:37:49
【问题描述】：

我有一个数据库，其中有 4 个表，2 个用于私人用户，2 个用于业务用户。出于某种原因，当我尝试使用业务用户的电子邮件登录时它不起作用但用户名有效，并且在私人表中它有效，这是我的代码，如果我没有正确解释它告诉我，我会尽力解释又来了

    $password = $_POST['password'];
    $emailuser = $_POST['unameemail'];
    $password = mysqli_real_escape_string($sql , $password); 
    $emailuser = mysqli_real_escape_string($sql , $emailuser); 
    $pwcheck = "
    SELECT * FROM private AS p 
    INNER JOIN user_private_data 
    AS c ON p.id = c.id 
    WHERE username='$emailuser' OR email='$emailuser'"; // part that works fine 
    $resultcheck = mysqli_query($sql , $pwcheck); // part that works fine 
    $rowcheck = mysqli_fetch_array($resultcheck , MYSQLI_ASSOC); // part that works fine 
    $hash = $rowcheck['password']; // part that works fine 
    $hash_pwd = password_verify($password , $hash);
    if ($hash_pwd != 0) {
        $_SESSION['username'] = $rowcheck['username']; // part that works fine  
        $_SESSION['logged'] = true; // part that works fine 
        header("refresh:0;url=../blablabla.php");     // part that works fine                   
    } else {
        $privateuser = "
        SELECT * FROM business AS d 
        INNER JOIN user_business_data 
        AS j ON d.id = j.id 
        WHERE username='$emailuser' OR email='$emailuser'"; // doesn't work
        $resultprivate = mysqli_query($sql , $privateuser); // doesn't work
            $rowprivate = mysqli_fetch_array($resultprivate , MYSQLI_ASSOC);
        $hashprivate = $rowprivate['password'];
        $hash_private = password_verify($password , $hashprivate);
        if ($hash_private != 0) {

            $_SESSION['username'] = $rowprivate['username'];
            $_SESSION['logged'] = true;
            $_SESSION['business'] = $rowprivate['bname'];
            $_SESSION['type'] = 'business';
}

【问题讨论】：

请在解析到您的查询之前清理您的输入值。这个脚本很容易受到 SQL 注入的攻击。
你的脚本有SQL Injection Attack的风险看看Little Bobby Tables发生了什么甚至if you are escaping inputs, its not safe!使用prepared parameterized statements
这是登录页面不是注册页面
“不起作用”是不够的。当您为业务用户访问 mysqli_query 时遇到什么错误？
我猜}到底是不是复制/粘贴错误？

标签： php mysql database mysqli

【解决方案1】：

试试这个：你需要在获取之前检查查询是否真的有结果我假设变量 $sql 是在您的连接中定义的

<?php

$password = $_POST['password'];
$emailuser = $_POST['unameemail'];
$password = mysqli_real_escape_string($sql, $password);
$emailuser = mysqli_real_escape_string($sql, $emailuser);
$pwcheck = "
            SELECT * FROM private AS p 
            INNER JOIN user_private_data 
            AS c ON p.id = c.id 
            WHERE username='$emailuser' OR email='$emailuser'"; // part that works fine 
$resultcheck = mysqli_query($sql, $pwcheck); // part that works fine 
$rowcheck = mysqli_fetch_array($resultcheck, MYSQLI_ASSOC); // part that works fine 
$hash = $rowcheck['password']; // part that works fine 
$hash_pwd = password_verify($password, $hash);
if ($hash_pwd != 0) {
    $_SESSION['username'] = $rowcheck['username']; // part that works fine  
    $_SESSION['logged'] = true; // part that works fine 
    header("refresh:0;url=../blablabla.php");     // part that works fine                   
} else {
    $privateuser = "
                SELECT * FROM business AS d 
                INNER JOIN user_business_data 
                AS j ON d.id = j.id 
                WHERE username='$emailuser' OR email='$emailuser'"; // doesn't work
    $resultprivate = mysqli_query($sql, $privateuser); // doesn't work
    if ($resultprivate->num_rows > 0) {
        $rowprivate = mysqli_fetch_array($resultprivate, MYSQLI_ASSOC);
        $hashprivate = $rowprivate['password'];
        $hash_private = password_verify($password, $hashprivate);
        if ($hash_private != 0) {

            $_SESSION['username'] = $rowprivate['username'];
            $_SESSION['logged'] = true;
            $_SESSION['business'] = $rowprivate['bname'];
            $_SESSION['type'] = 'business';
        } else {
            //no record
        }
    }
?>

【讨论】：