用户名正确但密码错误它不会重定向
the username is correct but password is wrong it doesn't redirect
我的 PHP 站点正在连接到 SQL 服务器数据库,然后创建会话并重定向到 'dashboard':
- 如果用户名和密码错误,它会重定向 - 效果很好。
- 如果用户名存在但密码错误,则重新加载失败?
看起来很简单,但我遇到了麻烦,请提供帮助。
还有改进此代码的建议也很好:)
<?php
session_start();
if ( ! empty( $_POST ) ) {
if ( isset( $_POST['username'] ) && isset( $_POST['password'] ) ) {
$username = $_POST['username'];
$password = $_POST['password'];
$connectionInfo = array( "Database"=>"WebUIUsers", "UID"=>"DBUser", "PWD"=>"Password1234");
$conn = sqlsrv_connect( "sqlserver01", $connectionInfo);
if( $conn ) {
// Connection established
$sql = "SELECT * FROM tbl_webui_users WHERE username='$username'";
$stmt = sqlsrv_query( $conn, $sql );
if(!(sqlsrv_fetch_array( $stmt )) >=1){
header("Location: ./index.php");
}
// if username exists but password is wrong redirect to try again ?
while( $row = sqlsrv_fetch_array( $stmt ) ) {
if( $row[password] === $password ) {
$_SESSION['user_session'] = $username;
header("Location: ./dashboard.php");
sqlsrv_free_stmt( $stmt);
}else{
header("Location: ./index.php");
} //end if( $row[password] == $password )
} //end while( $row = sqlsrv_fetch_array( $stmt ) )
}else{
echo "Connection to database could not be established.";
( print_r( sqlsrv_errors(), true));
} //end if( $conn )
} //end if
} // end if
?>
这种意外行为的真正原因是您调用了 sqlsrv_fetch_array() 两次,因此 while ($row = sqlsrv_fetch_array($stmt)) { ... } 根本 return 没有任何行。
但您至少需要考虑以下几点:
- 始终在语句中使用参数以防止可能的 SQL 注入问题。 documentation ... sqlsrv_query函数中提到了语句准备和语句执行,可用于执行参数化查询.
- 不要在数据库中以明文形式存储密码。
以下基于您的代码的基本示例是您问题的可能解决方案:
<?php
session_start();
if (!empty($_POST)) {
if (isset($_POST['username']) && isset($_POST['password'])) {
$username = $_POST['username'];
$password = $_POST['password'];
$connectionInfo = array("Database"=>"WebUIUsers", "UID"=>"DBUser", "PWD"=>"Password1234");
$conn = sqlsrv_connect("sqlserver01", $connectionInfo);
if ($conn === false) {
//echo "Connection to database could not be established: ".print_r(sqlsrv_errors(), true);
header("Location: ./index.php");
exit;
}
$sql = "SELECT * FROM tbl_webui_users WHERE username = ?";
$prms = array($username);
$stmt = sqlsrv_query($conn, $sql, $prms);
if ($stmt === false) {
//echo "Error (sqlsrv_query): ".print_r(sqlsrv_errors(), true);
header("Location: ./index.php");
exit;
}
// User doesn't exists
if (!sqlsrv_has_rows($stmt)) {
header("Location: ./index.php");
exit;
}
// User exists, but the password is wrong
$row = sqlsrv_fetch_array($stmt));
if ($row === false) {
header("Location: ./index.php");
exit;
}
if ($row["password"] === $password) {
$_SESSION['user_session'] = $username;
header("Location: ./dashboard.php");
} else {
header("Location: ./index.php");
}
}
}
?>
我的 PHP 站点正在连接到 SQL 服务器数据库,然后创建会话并重定向到 'dashboard':
- 如果用户名和密码错误,它会重定向 - 效果很好。
- 如果用户名存在但密码错误,则重新加载失败?
看起来很简单,但我遇到了麻烦,请提供帮助。
还有改进此代码的建议也很好:)
<?php
session_start();
if ( ! empty( $_POST ) ) {
if ( isset( $_POST['username'] ) && isset( $_POST['password'] ) ) {
$username = $_POST['username'];
$password = $_POST['password'];
$connectionInfo = array( "Database"=>"WebUIUsers", "UID"=>"DBUser", "PWD"=>"Password1234");
$conn = sqlsrv_connect( "sqlserver01", $connectionInfo);
if( $conn ) {
// Connection established
$sql = "SELECT * FROM tbl_webui_users WHERE username='$username'";
$stmt = sqlsrv_query( $conn, $sql );
if(!(sqlsrv_fetch_array( $stmt )) >=1){
header("Location: ./index.php");
}
// if username exists but password is wrong redirect to try again ?
while( $row = sqlsrv_fetch_array( $stmt ) ) {
if( $row[password] === $password ) {
$_SESSION['user_session'] = $username;
header("Location: ./dashboard.php");
sqlsrv_free_stmt( $stmt);
}else{
header("Location: ./index.php");
} //end if( $row[password] == $password )
} //end while( $row = sqlsrv_fetch_array( $stmt ) )
}else{
echo "Connection to database could not be established.";
( print_r( sqlsrv_errors(), true));
} //end if( $conn )
} //end if
} // end if
?>
这种意外行为的真正原因是您调用了 sqlsrv_fetch_array() 两次,因此 while ($row = sqlsrv_fetch_array($stmt)) { ... } 根本 return 没有任何行。
但您至少需要考虑以下几点:
- 始终在语句中使用参数以防止可能的 SQL 注入问题。 documentation ... sqlsrv_query函数中提到了语句准备和语句执行,可用于执行参数化查询.
- 不要在数据库中以明文形式存储密码。
以下基于您的代码的基本示例是您问题的可能解决方案:
<?php
session_start();
if (!empty($_POST)) {
if (isset($_POST['username']) && isset($_POST['password'])) {
$username = $_POST['username'];
$password = $_POST['password'];
$connectionInfo = array("Database"=>"WebUIUsers", "UID"=>"DBUser", "PWD"=>"Password1234");
$conn = sqlsrv_connect("sqlserver01", $connectionInfo);
if ($conn === false) {
//echo "Connection to database could not be established: ".print_r(sqlsrv_errors(), true);
header("Location: ./index.php");
exit;
}
$sql = "SELECT * FROM tbl_webui_users WHERE username = ?";
$prms = array($username);
$stmt = sqlsrv_query($conn, $sql, $prms);
if ($stmt === false) {
//echo "Error (sqlsrv_query): ".print_r(sqlsrv_errors(), true);
header("Location: ./index.php");
exit;
}
// User doesn't exists
if (!sqlsrv_has_rows($stmt)) {
header("Location: ./index.php");
exit;
}
// User exists, but the password is wrong
$row = sqlsrv_fetch_array($stmt));
if ($row === false) {
header("Location: ./index.php");
exit;
}
if ($row["password"] === $password) {
$_SESSION['user_session'] = $username;
header("Location: ./dashboard.php");
} else {
header("Location: ./index.php");
}
}
}
?>