-2
我有一段代码检查以确保您尝试登录的帐户实际存在并位于数据库中。但是,当我用测试帐户测试它时,当我尝试登录时(即使它正确并在数据库上),它说它不是。html php mysql登录正确,但显示它的错误
// login
if (isset($_POST[login])){
$username=mysqli_real_escape_string($db,$_POST['username']);
$password=mysqli_real_escape_string($db,$_POST['password']);
// ensure that form is filled right
if (empty($username)){
array_push($errors,"include username");
}
if (empty($password)){
array_push($errors,"include password");
}
if (count($errors) == 0) {
$password = md5($password);
$query = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
$result = mysqli_query($db,$query);
if (mysqli_num_rows($result) == 1){
$_SESSION['username'] = $username;
$_SESSION['success'] = "Hi you are now in";
header('location: index.php');
} else {
array_push($errors,"username or password are wrong");
//header('location: login.php');
}
}
}
有人可以告诉我它有什么问题吗? 谢谢。
编辑:
它通过注册页面中插入数据:
$username = "";
$email = "";
$errors = array();
// connect to the database
$db = mysqli_connect('localhost', 'wildeart_am','test', 'wildeart_register');
// if the register button is clicked
if (isset($_POST[register])) {
$username=mysqli_real_escape_string($db,$_POST['username']);
$email=mysqli_real_escape_string($db,$_POST['email']);
$password=mysqli_real_escape_string($db,$_POST['password']);
$confirmpassword=mysqli_real_escape_string($db,$_POST['cpassword']);
// ensure that form is filled right
if (empty($username)){
array_push($errors,"include username");
}
if (empty($email)){
array_push($errors,"include email");
}
if (empty($password)){
array_push($errors,"include password");
}
if($password != $confirmpassword){
array_push($errors,"The two passwords must match");
}
// register
if(count($errors) == 0){
$password = md5($password);
$sql = "INSERT INTO users (username, email, password)
VALUES ('$username', '$email','$password')";
mysqli_query($db, $sql);
$_SESSION['username'] = $username;
$_SESSION['success'] = "Hi you are now in";
header('location: index.php');
}
}
编辑2:
要尝试和MD5解决密码哈希密码哈希我所做的:
if(count($errors) == 0) {
$password = password_hash($password, PASSWORD_BCRYPT, $options);
$query = "SELECT * FROM users WHERE username = '$username'";
$result = mysqli_query($db,$query);
$row=mysqli_fetch_row($result);
$verify=password_verify($_POST['password'],$row[1]);
if($verify){
$_SESSION['username'] = $username;
$_SESSION['success'] = "Hi you are now in";
header('location: index.php');
}else{
array_push($errors,"username or password are wrong");
//header('location: login.php');
}
但它似乎仍然没有工作。
不应该'$ _ POST [登录]'是'$ _ POST [“登录”]'呢? – Mihailo
**不要存储由md5散列的密码!** PHP提供['password_hash()'](https://php.net/manual/en/function.password-hash.php)和['password_verify()'] (https://php.net/manual/en/function.password-verify.php)请使用它们。如果您使用的是5.5以前的PHP版本[这里有一个兼容包](https://github.com/ircmaxell/password_compat)。确保你[**不要转义密码**](https://stackoverflow.com/q/36628418/5914775)或在哈希之前使用其他任何清理机制。这样做会更改密码并导致不必要的附加编码。 –
@Mihailo PHP实际上会自行解决它,但会发出警告。 – Qirel