0
我超级困惑, 我的代码输出这样的:PHP的:mysql设置一个登录
贴登录:登录
公布密码:通过
数据库登录:登录
数据库通过:通过
数据库ID:1
数据库用户:IDKMyName
数据库创建者:真
数据库管理:真
数据库主:真
失败
主要部分是最后一行的“失败“,它应该说登录去。发布的用户和数据库用户是相同的,并且发布过程相同,所以idk。
ps。回声只是在那里调试不会在最终的代码。
<?php
session_start();
$db_login = "";
$db_pass = "";
$db_id = "";
$db_user = "";
$db_creator = "";
$db_admin = "";
$db_master = "";
$servername = "localhost";
$username = "root";
$password = "";
$database = "main_db";
// Create connection
$conn = new mysqli($servername, $username, $password, $database);
$submitlogin = $_POST['user'];
$submitpass = $_POST['password'];
$query = $conn->query("SELECT * FROM main_table WHERE login = '$submitlogin' && pass = '$submitpass'", MYSQLI_USE_RESULT);
if ($query) {
while ($row = $query->fetch_array()) {
$db_login = $row['login'] . PHP_EOL;
$db_pass = $row['pass'] . PHP_EOL;
$db_id = $row['ID'] . PHP_EOL;
$db_user = $row['user'] . PHP_EOL;
$db_creator = $row['creator'] . PHP_EOL;
$db_admin = $row['admin'] . PHP_EOL;
$db_master = $row['master'] . PHP_EOL;
}
}
echo "posted login: " . $submitlogin . "<br>";
echo "posted password: " . $submitpass . "<br>";
echo "database login: " . $db_login . "<br>";
echo "database pass: " . $db_pass . "<br>";
echo "database id: " . $db_id . "<br>";
echo "database user: " . $db_user . "<br>";
echo "database creator: " . $db_creator . "<br>";
echo "database admin: " . $db_admin . "<br>";
echo "database master: " . $db_master . "<br>";
if ($submitlogin != $db_login && $submitpass != $db_pass) {
$_SESSION['ID'] = 'NULL';
$_SESSION['loggedin'] = 'False';
$_SESSION['login'] = '';
$_SESSION['pass'] = '';
$_SESSION['user'] = '';
$_SESSION['creater'] = 'False';
$_SESSION['admin'] = 'False';
$_SESSION['master'] = 'False';
echo"failed";
echo"<a href = '/wip/login/>try again</a>";
}
else {
$_SESSION['login'] = $db_login;
$_SESSION['pass'] = $db_pass;
$_SESSION['id'] = $db_id;
$_SESSION['user'] = $db_user;
$_SESSION['creator'] = $db_creator;
$_SESSION['admin'] = $db_admin;
$_SESSION['master'] = $db_master;
$_SESSION['loggedin'] = 'True';
echo "logged in";
echo "<a href='/wip/>go</a>";
}
mysqli_close($conn);
?>
[Little Bobby](http://bobby-tables.com/)说** [你有SQL风险jection attack](https://stackoverflow.com/q/60174/)**。了解[MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php)的[Prepared Statements](准备语句)(https://en.wikipedia.org/wiki/Prepared_statement)。即使** [转义字符串](https://stackoverflow.com/q/5741187)**是不安全的!我推荐'PDO',我[写了一个函数](http://paragoncds.com/grumpy/pdoquery/#function),使它非常容易**,非常干净**,以及更多**安全**比使用非参数化查询。 – GrumpyCrouton
**请勿使用纯文本密码!**请使用** PHP的[内置函数](http://jayblanchard.net/proper_password_hashing_with_PHP.html)**('password_hash()'和'password_verify()')处理密码安全。如果您使用的PHP版本低于5.5,则可以使用'password_hash()'[兼容包](https://github.com/ircmaxell/password_compat)。 **在[散列密码](http://stackoverflow.com/q/36628418/1011527)中没有必要**,或者在散列之前使用其他任何清理机制。这样做会改变密码并导致不必要的附加编码。 – GrumpyCrouton
另外,请不要使用'root' db用户 –