我的登录信息将无法正常工作

Question

我可以注册一个用户，但是当我尝试用它登录，我有2个问题：

1：我可以登录使用的用户名，但我也能键入任何我想要的密码输入部分，我仍然登录（它不检查数据库中的真实密码）

2：当我尝试使用电子邮件和密码的组合，然后我无法登录在我只收到错误消息。

我在想问题在于我的$query select FROM members bla bla ...但我不确定。
对不起，这样的菜鸟。

这是register.php

<form method="post" action=""> 

<input type="text" name="username" placeholder="USERNAME"> 

<input type="password" name="password1" placeholder="PASSWORD"> 

<input type="password" name="password2" placeholder="CONFIRM PASSWORD"> 

<input type="text" name="email" placeholder="E-MAIL"> 

<input type="date" name="age" id="age" > 


<input type="radio" value="male" name="gender" checked> 
<input type="radio" value="female" name="gender"> 


<input type="submit" value="SIGN UP" name="create_member"> 
</form> 



<?php 

require_once ("core/connect.php"); 

if(isset($_POST['create_member'])) 
{ 
    $username = mysqli_real_escape_string($dbc, trim ($_POST['username'])); 
    $password1 = mysqli_real_escape_string($dbc, trim ($_POST['password1'])); 
    $password2 = mysqli_real_escape_string($dbc, trim ($_POST['password2'])); 
    $email = mysqli_real_escape_string($dbc, trim ($_POST['email'])); 
    $age = mysqli_real_escape_string($dbc, trim ($_POST['age'])); 
    $gender = mysqli_real_escape_string($dbc, trim ($_POST['gender'])); 

    if($password1 != $password2) 
    { 
     echo 'THE TWO PASSWORDS ARE NOT THE SAME'; 
    } 

    $hash = hash('sha256', $password1); 

    function createSalt() 
    { 
     $text = md5(uniqid(rand(), true)); 
     return substr($text, 0, 3); 
    } 

    $salt = createSalt(); 
    $password = hash('sha256', $salt . $hash); 

    if(!empty($username) && !empty($email) && !empty($password) && !empty($age) && !empty($gender)) 

    { 
     $query_ind = "INSERT INTO members VALUES ('', '$username', '$password', '$email', '$age' , '$gender', '$salt', NOW())"; 
     mysqli_query($dbc, $query_ind); 

    } 
    else 
    { 
     echo "FILL OUT THE FORM PLEASE"; 
    } 
} 
?> 

，这是login.php中

<?php 

$error_msg = ''; 

    if (isset($_POST['member_login'])) 
    { 
     // Grab the user-entered log-in data 
     $member_username = mysqli_real_escape_string($dbc, trim($_POST['username'])); 
     $member_email = mysqli_real_escape_string($dbc, trim($_POST['username'])); 
     $member_password = mysqli_real_escape_string($dbc, trim($_POST['password'])); 


     if (!empty($member_username) && !empty($member_password)) 
     { 
      // Look up the username and password in the database 
      $query = "SELECT * FROM members WHERE member_username = '$member_username' OR member_email = '$member_email' AND member_password = '$member_password'"; // SHA('$member_password')"; 

      $data = mysqli_query($dbc, $query); 

      if (mysqli_num_rows($data) == 1) 
      { 
       // The log-in is OK so set the user ID and username session vars (and cookies), and redirect to the home page 
       $row = mysqli_fetch_array($data); 

       $_SESSION['member_id'] = $row['member_id']; 
       $_SESSION['member_username'] = $row['member_username']; 
       $_SESSION['member_email'] = $row['member_email']; 

       setcookie('member_id', $row['member_id'], time() + (60 * 60 * 24 * 7)); // expires in 7 days 
       setcookie('member_username', $row['member_username'], time() + (60 * 60 * 24 * 7)); // expires in 7 days 
       setcookie('member_email', $row['member_email'], time() + (60 * 60 * 24 * 7)); // expires in 7 days 

       header('Location: ' . $_SERVER['PHP_SELF'] . '?page=mlog_in'); 


      } 
      else 
      { 
       // The username/password are incorrect so set an error message 
       $error_msg = ' INCORRECT INFOMATION, TRY AGAIN. '; 
      } 
     } 
     else 
     { 
     // The username/password weren't entered so set an error message 
     $error_msg = ' INCORRECT INFOMATION, TRY AGAIN. '; 
     } 
    } 

    mysqli_close($dbc); 

if(!isset($_SESSION['member_id'])) 
{ 
    ?> 
      <div class="sixteen columns"> 
      <h2>LOGIN</h2> 
      <form action="<?php echo $_SERVER['PHP_SELF']?>" method="post" class="sixteen columns"> 

      <input required type="text" name="username" placeholder="USERNAME/E-MAIL"/> 
      <input required type="password" name="password" placeholder="PASSWORD" /> 

      <input required type="submit" name="member_login" value="LOGIN" /> 

      <input type="checkbox" name="remember" value="1"><span>REMEMBER ME</span> 

       <?php 
        echo '<p>' . $error_msg . '</p>'; 
       ?> 

      <?php 
      echo '<a href="index.php?page=register" title="CLICK TO SIGN UP">MAKE A PROFILE</a>'; 
      ?> 


     </form> 
     </div> 

    <?php 
} 


    else 
{ 
    $profile = ''; 
    if(isset($_GET['profile'])) 
    { 
     $profile = $_GET['profile']; 
    } 

    ?> 


    <?php 
     switch($profile) 
     { 

      default : 
       require_once 'profile/userpage.php'; 
      break; 

     } 
} 

?> 

Answer 1

你的SQL查询只要符合member_username = '$member_username'或member_email = '$member_email' AND member_password = '$member_password' 尝试将其更改为

SELECT * 
FROM members 
WHERE member_password = '$member_password' 
AND (member_username = '$member_username' OR member_email = '$member_email'); 

请参阅Operator Precedence in Mysql for m矿石信息。

Answer 2

有两个问题与您的登录。两者都与您的SELECT有关，但是由于不同的原因。

首先，逻辑运算符AND和OR只是：运营商。像数学运算符一样，它们有一个操作顺序。 与添加之前进行乘法的方式相同，您可以在OR之前进行。

现在让我们来仔细看看你的选择，而对于清晰度替代几个变量。

WHERE username=$username OR email=$email AND password=$password 

如果我们按照操作顺序的意思是“email = $ email and password = $ password”将首先被评估。如果他们试图使用用户名登录，这将始终是错误的，因为用户名不等于电子邮件。新的公式是这样的：

WHERE username=$username OR false 

因为他们正试图用一个用户名登录，则表达式的第一部分将评估为真，这意味着整个表达式的值为true。这就是为什么当你尝试用用户名登录时，使用什么密码并不重要。

现在，如果他们试图利用电子邮件进行登录。在这种情况下，您忘记了散列密码，因此数据库密码永远不会匹配密码变量。

希望清除它。