我正在研究一个php脚本,用于检查已登录的用户,包括确保他们输入了电子邮件地址和密码,连接到sql并检查数据,注册会话和更新登录时间。正确的错误报告为
脚本不起作用,当用户完成表单并被导向到这个页面时,它会在ELSE语句后面的底部出现错误信息。它不会更新sql中的'last_login'。
我想知道如何开始解决这个脚本,我可以在哪里放置错误处理?
session_start();
include 'dbconuser.php';
//post var
$email_address = $_POST['email_address'];
$password = $_POST['password'];
//check both fields completed
if((!$email_address) || (!$password))
{
echo "Please enter ALL of the information!<br/>";
include 'login.htm';
exit();
}
$password = md5($password);
//connect and check data
$sql = mysqli_query($connection, "SELECT * FROM users WHERE email_address='$email_address' AND password='$password' AND activated='1'");
$login_check = mysqli_num_rows($sql);
if($login_check > 0)
{
while($row = mysqli_fetch_array($sql))
{
foreach($row AS $key => $val)
{
$key = stripslashes($val);
}
// register session
$_SESSION['first_name'] = $first_name;
$_SESSION['last_name'] = $last_name;
$_SESSION['email_address'] = $email_address;
$_SESSION['user_level'] = $user_level;
mysqli_query($connection, "UPDATE users SET last_login=now() WHERE userid='$userid'");
header("Location: index.php");
}
}
//error
else
{
include 'login_error.htm';
echo "You could not be logged in! Either the email_address and password do not match or you have not validated your membership!<br />
Please try again!<br />";
}
mix mysql和mysqli? – 2014-10-07 13:37:21
您有'mysqli _ *()'和不赞成的'mysql _ *()'函数调用的无效组合。回顾[我怎样才能防止PHP中的SQL注入](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)并开始将所有这些转换为MySQLi。使用链接问题中的示例和MySQLi ['prepare()/ execute()'](http://php.net/manual/en/mysqli.prepare.php)文档,现在是开始学习的时候了使用准备好的语句来纠正你的SQL注入漏洞。 – 2014-10-07 13:42:52
我不是一个SQL注入所以林不知道,但有人可能只是发布的东西,其中email_address是像'OR userid = 1; - – OIS 2014-10-07 13:47:11