即使使用了错误的用户名和密码,我的登录表单仍能正常工作。我试图寻找答案,但我找不到我的错误。下面的代码:即使使用了错误的用户名和密码,登录仍然会直接进入主页(PHP/mySql)
<?php
include 'database.php'; ?>
<?php
if($_SERVER["REQUEST_METHOD"] == "POST"){
$username = mysqli_real_escape_string($connect,$_POST['username']);
$password = mysqli_real_escape_string($connect,$_POST['password']);
$query = "SELECT username, password FROM tbl_membership WHERE username =
'$username' AND password = '$password'";
$result = mysqli_query($connect, $query);
$row = mysqli_fetch_array($result,MYSQLI_ASSOC);
$active = $row['active'];
$count = mysqli_num_rows($result);
if(mysqli_num_rows($query) > 0){
$_SESSION["username"] = $username;
$_SESSION["password"] = $password;
header("location: welcome.php");
exit();
}if (mysqli_num_rows($query) != 0){
echo "Invalid.";
}
}
?>
**切勿以明文形式存储密码!**。只存储密码哈希!使用PHP的['password_hash()'](http://php.net/manual/en/function.password-hash.php)和['password_verify()'](http://php.net/manual/en /function.password-verify.php)。如果您运行的PHP版本低于5.5(我希望不是),那么可以使用[password_compat库](https://github.com/ircmaxell/password_compat)来获得相同的功能。 –
了解预防SQL注入的语句 – Jens
如果使用$ count而不是mysqli_num_rows($ query)if – Jens