2014-11-22 244 views
1

我试图让数据库用户登录时,如果他们的凭据存在,问题是,每当我在登录屏幕中输入详细信息时,它总是会返回Invalid Login Credentials,不管名称/密码是否在数据库中。使用mySQL和PHP登录问题

这里是我的工作:

loginSubmit.php

<?php 

//begin our session 
session_start(); 

//Check the username and password have been submitted 
if(!isset($_POST['Username'], $_POST['Password'])) 
{ 
    $message = 'Please enter a valid username and password'; 
} 

else 
{ 
    //Enter the valid data into the database 
    $username = filter_var($_POST['Username'], FILTER_SANITIZE_STRING); 
    $password = filter_var($_POST['Password'], FILTER_SANITIZE_STRING); 

    //Encrypt the password 
    $password = sha1($password); 

    //Connect to the database 
    $SQLusername = "root"; 
    $SQLpassword = ""; 
    $SQLhostname = "localhost"; 
    $databaseName = "jfitness"; 

    try 
    { 
     //connection to the database 
     $dbhandle = mysql_connect($SQLhostname, $SQLusername, $SQLpassword) 
      or die("Unable to connect to MySQL"); 
     echo "Connected to MySQL<br>"; 

     //select a database to work with 
     $selected = mysql_select_db($databaseName, $dbhandle) 
       or die("Could not select database"); 

     $query = "SELECT * FROM 
       customers WHERE name = 
       ('$_POST[Username]' AND password = '$_POST[Password]')"; 

     $result = mysql_query($query) or die(mysql_error()); 
     $count = mysql_num_rows($result); 

     if($count == 1) 
     { 
      $_SESSION['username'] = $username; 
     } 
     else 
     { 
      echo "Invalid Login Credentials"; 
     } 

     if(isset($_SESSION['username'])) 
     { 
      $username = $_SESSION['username']; 
      echo "Hello " . $username; 
     } 

    } 
    catch(Exception $e) 
    { 

     $message = 'We are unable to process your request. Please try again later"'; 
    } 


} 
?> 
<html> 
<head> 
<title>Login</title> 
</head> 
<body> 
</body> 
</html> 

的login.php

<html> 
    <head> 
     <title>Login</title> 
    </head> 
    <body> 
     <h2>Login Here</h2> 
     <form action="loginSubmit.php" method="post"> 
      <fieldset> 
       <p> <label for="Username">Username</label> 
        <input type="text" id="Username" name="Username" value="" maxlength="20" /> 
       </p> 
       <p> 
        <label for="Password">Password</label> 
        <input type="text" id="Password" name="Password" value="" maxlength="20" /> 
       </p> 
       <p> 
        <input type="submit" value="Login" /> 
       </p> 
      </fieldset> 
     </form> 
    </body> 
</html> 

ADDUSER

//Enter the valid data into the database 
    $username = filter_var($_POST['Username'], FILTER_SANITIZE_STRING); 
    $password = filter_var($_POST['Password'], FILTER_SANITIZE_STRING); 

    //Encrypt the password 
    $password = sha1($password); 

    //Connect to the database 
    $SQLusername = "root"; 
    $SQLpassword = ""; 
    $SQLhostname = "localhost"; 
    $databaseName = "jfitness"; 

    try 
    { 
     //connection to the database 
     $dbhandle = mysql_connect($SQLhostname, $SQLusername, $SQLpassword) 
      or die("Unable to connect to MySQL"); 
     echo "Connected to MySQL<br>"; 

     //select a database to work with 
     $selected = mysql_select_db($databaseName, $dbhandle) 
       or die("Could not select database"); 

     $sql = "INSERT INTO 
       customers (name, password) 
       VALUES 
       ('$_POST[Username]','$_POST[Password]')"; 

     if(!mysql_query($sql, $dbhandle)) 
     { 
      die('Error: ' . mysql_error()); 
     } 

     //Unset the form token session variable 
     unset($_SESSION['formToken']); 

     echo "1 record added"; 

     //close the connection 
     mysql_close($dbhandle); 

    } 
    catch (Exception $ex) 
    { 
     if($ex->getCode() == 23000) 
     { 
      $message = 'Username already exists'; 
     } 
     else 
     { 
      $message = 'We are unable to process your request. Please try again later"'; 
     } 
+0

密码被保存为'sha1'开头? – 2014-11-22 23:25:31

+0

嗨Fred -ii,请你稍微详细一点,我正在跟随一篇教程,因为我是新来的PHP – user2757842 2014-11-22 23:32:27

+0

如果密码没有使用'sha1'保存在数据库中,那么你将无法登录。 – 2014-11-22 23:34:39

回答

4

可能是因为这个原因,你有括号的方式。
- 请参阅下面有关使用预准备语句和password_hash()的笔记。

SELECT * FROM customers 
WHERE name = ('$_POST[Username]' 
AND password = '$_POST[Password]') 

将其更改为:

SELECT * FROM customers 
WHERE name = '$username' 
AND password = '$password' 

,并用于测试目的,尝试删除

$password = filter_var($_POST['Password'], FILTER_SANITIZE_STRING); 

,可能会影响/拒绝字符。确保没有空白区域。

也在发生变化if($count == 1)if($count > 0)

if(mysql_num_rows($result) > 0){

您的密码不被散列
测试你的adduser的代码后更换$count = mysql_num_rows($result); if($count == 1) {,我注意到的是,您的哈希密码不被存储作为一个散列。

将您的Adduser页面中的('$_POST[Username]','$_POST[Password]')更改为('$username','$password')

我建议你搬到mysqli with prepared statementsPDO with prepared statements,他们更安全

就目前而言,您现在的代码可以使用SQL injection

这是一个很好的网站使用PDO与准备好的语句和password_hash()

参见:

CRYPT_BLOWFISH或PHP 5.5的password_hash()功能。
对于PHP < 5.5使用password_hash() compatibility pack

0

试试这个队友

$query = "select * from customer where name = '" .$username ."' and password = '" .$password ."'";   
//use the SANITIZED data  

    $result = mysql_query($query);     
    $row = mysql_fetch_assoc($result);       
if($row) {      
       $_SESSION['name'] = $row['name'];        
       $_SESSION['password'] = $row['password'];         


    }     
else { //not found      
header('Location: go back.php?error=2');       
     } 

    echo "Hello " . $username;  
+0

不幸的是:/谢谢 – user2757842 2014-11-23 00:04:50