MySQL查詢是罰款，不給的值或錯誤

Question

我試圖找到如何檢查一個名爲主動變等於1。我在嘗試函數低於：

function login($email, $password, $mysqli) { 
    // Using prepared statements means that SQL injection is not possible. 
    if ($stmt = $mysqli->prepare("SELECT id, username, password, salt, active 
        FROM members 
            WHERE email = ? LIMIT 1")) { 
     $stmt->bind_param('s', $email); // Bind "$email" to parameter. 
     $stmt->execute(); // Execute the prepared query. 
     $stmt->store_result(); 

     // get variables from result. 
     $stmt->bind_result($user_id, $username, $db_password, $salt, $active); 
     $stmt->fetch(); 

     // hash the password with the unique salt. 
     $password = hash('sha512', $password . $salt); 
     if ($stmt->num_rows == 1) { 

      // If the user exists we check if the account is locked 
      // from too many login attempts 
      if (checkbrute($user_id, $mysqli) == true) { 
       // Account is locked 
       // Send an email to user saying their account is locked 
       return false; 
      } else { 
       // Check if the password in the database matches 
       // the password the user submitted. 
       if ($db_password == $password) { 
        // Password is correct! 
        // Get the user-agent string of the user. 
        $user_browser = $_SERVER['HTTP_USER_AGENT']; 

        // XSS protection as we might print this value 
        $user_id = preg_replace("/[^0-9]+/", "", $user_id); 
        $_SESSION['user_id'] = $user_id; 

        // XSS protection as we might print this value 
        $username = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $username); 

        $_SESSION['username'] = $username; 
        $_SESSION['login_string'] = hash('sha512', $password . $user_browser); 
       } else { 
        // Password is not correct 
        // We record this attempt in the database 
        $now = time(); 
        if (!$mysqli->query("INSERT INTO login_attempts(user_id, time) 
            VALUES ('$user_id', '$now')")) { 
         header("Location: ../error?err=Database error: login_attempts"); 
         exit(); 
        } 

        return false; 
       } 
      } 
     } else { 
      // No user exists. 
      return false; 
     } 
    } else { 
     // Could not create a prepared statement 
     header("Location: ../error?err=Database error: cannot prepare statement"); 
     exit(); 
    } 
} 

我假設我在$ mysqli-> prepare語句中添加活動的地方是正確的。 我想要做的是如果用戶得到他們的密碼正確我會查詢MySQL表，看他的帳戶是活躍（1）或不活躍（0）。如果它被設置爲0，則它​​會登錄並且沒有錯誤。然而，在我的process_login.php文件時，它會記錄用戶如果是（0），但的index.php？ERR = 1

<?php 

include_once 'db_connect.php'; 
include_once 'functions.php'; 

sec_session_start(); // Our custom secure way of starting a PHP session. 

if (isset($_POST['email'], $_POST['p'])) { 
    $email = filter_input(INPUT_POST, 'email', FILTER_SANITIZE_EMAIL); 
    $password = $_POST['p']; // The hashed password. 

    if (login($email, $password, $mysqli) == true) { 

     // Login success 
     header("Location: ../protected_page.php"); 

     exit(); 
    } else { 
     // Login failed 
     header('Location: ../index.php?error=1'); 
     echo $active; 
     exit(); 
    } 
} else { 
    // The correct POST variables were not sent to this page. 
    header('Location: ../error.php?err=Could not process login'); 
    exit(); 
} 

當我嘗試回聲變量$主動將沒有返回值。 提前感謝任何幫助。

Answer 1

發佈這是一個社區的wiki;我不想代表它，也不應該從它做出。

答：你沒有照做，因爲它被寫了教程。

• http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL

因爲很明顯，這一種情況，即代碼來自;我知道這一切都很好。

你修改了代碼的某些部分，並留下了一些出也。

回到本教程，並關注它「」到T「。您可能還必須清除當前的哈希值並重新開始。

確認表的創建正是完成，如圖所示。如果你沒有做出正確的列和正確的長度，那麼會在你身上「默默地」。

請教我問題下也留下評論。