PHP 身份验证页面不会将用户输入与数据库中存储的数据相匹配
PHP authentication page won't match user input to data stored within the database
我的 PHP 身份验证页面没有从数据库中正确检索数据,当输入正确的凭据时,错误的回显不断出现。请有人能阐明我哪里出错了?非常感谢。
编辑:抱歉,我忘了提到它应该容易受到注入攻击,因为我想用它来进行演示。
HTML:
<form method="POST" action="connection.php">
User <br><input type="text" name = "user" size="40"><br>
Password <br><input type ="password" name="pass" size="40"><br>
<input id="button" type="submit" name="submit" value="Log-In">
PHP:
<?php
// Grab User submitted information
$user = $_POST["user"];
$pass = $_POST["pass"];
// Connect to the database
$con = mysqli_connect("localhost","my_user","my_pass");
// Make sure we connected successfully
if(! $con)
{
die('Connection Failed'.mysqli_error());
}
// Select the database to use
mysqli_select_db(login, $con);
$result = mysqli_query("SELECT usernames, password FROM accounts WHERE usernames = $user");
$row = mysqli_fetch_array($result);
if($row[usernames]==$user && $row[password]==$pass)
echo"You are a validated user.";
else
echo"Sorry, your credentials are not valid, Please try again.";
?>
数据库详细信息:
数据库名称:登录
table 姓名:账户
行:
用户名
密码
您需要将数据库添加到您的连接字符串中:
$con = mysqli_connect("localhost","my_user","my_pass", "my_db");
你不需要mysqli_select_db()。 (反正你用错了。)
来自docs:
This function should only be used to change the default database for the connection. You can select the default database with 4th parameter in mysqli_connect().
查询时需要用引号引起来(见下面的警告):
"... WHERE usernames = '$user'" // added quotes around $user
您需要为您的标识符添加引号:
if($row[usernames]==$user && $row[password]==$pass) // wrong way
带引号
if($row['usernames']==$user && $row['password']==$pass) // right way
如果您没有将这些引号括起来,PHP 将假定它们是常量,并且可能无法正确呈现它们,具体取决于您服务器的设置。
警告!
Little Bobby says your script is at risk for SQL Injection Attacks. Learn about prepared statements for MySQLi. Even escaping the string不安全!
切勿存储纯文本密码!请使用PHP的built-in functions to handle password security. If you're using a PHP version less than 5.5 you can use the password_hash() compatibility pack. It is not necessary to
我的 PHP 身份验证页面没有从数据库中正确检索数据,当输入正确的凭据时,错误的回显不断出现。请有人能阐明我哪里出错了?非常感谢。
编辑:抱歉,我忘了提到它应该容易受到注入攻击,因为我想用它来进行演示。
HTML:
<form method="POST" action="connection.php">
User <br><input type="text" name = "user" size="40"><br>
Password <br><input type ="password" name="pass" size="40"><br>
<input id="button" type="submit" name="submit" value="Log-In">
PHP:
<?php
// Grab User submitted information
$user = $_POST["user"];
$pass = $_POST["pass"];
// Connect to the database
$con = mysqli_connect("localhost","my_user","my_pass");
// Make sure we connected successfully
if(! $con)
{
die('Connection Failed'.mysqli_error());
}
// Select the database to use
mysqli_select_db(login, $con);
$result = mysqli_query("SELECT usernames, password FROM accounts WHERE usernames = $user");
$row = mysqli_fetch_array($result);
if($row[usernames]==$user && $row[password]==$pass)
echo"You are a validated user.";
else
echo"Sorry, your credentials are not valid, Please try again.";
?>
数据库详细信息:
数据库名称:登录
table 姓名:账户
行:
用户名
密码
您需要将数据库添加到您的连接字符串中:
$con = mysqli_connect("localhost","my_user","my_pass", "my_db");
你不需要mysqli_select_db()。 (反正你用错了。)
来自docs:
This function should only be used to change the default database for the connection. You can select the default database with 4th parameter in
mysqli_connect().
查询时需要用引号引起来(见下面的警告):
"... WHERE usernames = '$user'" // added quotes around $user
您需要为您的标识符添加引号:
if($row[usernames]==$user && $row[password]==$pass) // wrong way
带引号
if($row['usernames']==$user && $row['password']==$pass) // right way
如果您没有将这些引号括起来,PHP 将假定它们是常量,并且可能无法正确呈现它们,具体取决于您服务器的设置。
警告!
Little Bobby says your script is at risk for SQL Injection Attacks. Learn about prepared statements for MySQLi. Even escaping the string不安全!
切勿存储纯文本密码!请使用PHP的built-in functions to handle password security. If you're using a PHP version less than 5.5 you can use the password_hash() compatibility pack. It is not necessary to