这是我的登录代码会话没有得到声明
global $connection;
if (isset($_POST['user_login'])) {
$email = $_POST['email'];
$password = $_POST['password'];
$password= md5($password);
$login = mysqli_query($connection, "SELECT * FROM user WHERE email ='{$email}' AND password = '{$password}' ");
if(!$login) {
die("QUERY FAILED" . mysqli_error($connection));
}
if(!$login || mysqli_num_rows($login) == 0) {
echo "<div class='alert alert-danger' role='alert'> <strong>Your Username or Password is invalid!</strong></div>";
} else {
$_SESSION['user_id'] = $user_id;
$_SESSION['email'] = $email;
$_SESSION['username'] = $username;
header('Location: index.php');
}
}
我用的print_r函数来显示所有的会话,但只对会话邮件是越来越声明。为什么没有声明user_id和username?我做错了什么?
你是否开始会话?它看起来不像我 –
您的代码易受[** SQL注入**](https://en.wikipedia.org/wiki/SQL_injection)攻击的影响。你应该使用[** mysqli **](https://secure.php.net/manual/en/mysqli.prepare.php)或[** PDO **](https://secure.php.net/ manual/en/pdo.prepared-statements.php)准备带有绑定参数的语句,如[**这篇文章**]所述(https://stackoverflow.com/questions/60174/how-can-i-prevent-sql步喷射功能于PHP)。 –
MD5不足以进行密码散列。使用['password_hash()'](http://us3.php.net/manual/en/function.password-hash.php)和['password_verify()'](http://us3.php.net/ manual/en/function.password-verify.php)。 –