在PHP中無法登錄程序

Question

作爲我項目的一部分，我創建了一個登錄程序。我已經有了一個創建帳戶頁面，數據從中成功進入數據庫表格。但是我的登錄程序不起作用。以下是我的代碼。

<?php 


$db = mysql_connect('localhost','root','','childrenparty'); 


if(!$db){die('could not connect:'.mysql_error());} 

echo'connected successfully'; 


if (isset($_POST['loginbtn'])) { 

$username = $_POST['txtusername']; 
$password = $_POST['txtpassword']; 

$username = mysql_real_escape_string($username); 
$password = mysql_real_escape_string($password); 

$sql = "SELECT * FROM clientinfo WHERE Username ='".$username."'' AND 
Password='".$password."' LIMIT 1"; 
$result = mysql_query($sql); 
echo $sql; 

if(mysql_num_rows($result) == 1) 
    { 
    echo "<script> alert('Successfully Logged In')</script>"; 
    echo "<script> location.href = 'home.php' </script>"; 
    exit(); 
    } 
    else { 
    echo "<script> alert('Invalid Username and/or Password')</script>"; 
    exit(); 
    } 
    } 

    mysql_close($db); 




?> 

所以問題是，它總是顯示無效的用戶名和密碼，當我嘗試登錄，請幫助

Answer 1

您在SQL查詢中的錯誤，一個額外的'：

$sql = "SELECT * FROM clientinfo WHERE Username ='" . $username . "' AND 
Password='" . $password . "' LIMIT 1"; 

但有更危險問題在此代碼：

1. mysql_ *在PHP 5.5中不推薦使用，並且在PHP 7中刪除，因此您最好使用mysqli或PDO函數和準備好的語句。

2. 密碼存儲未加密的，這是一個巨大的漏洞

我會準備好的語句添加一個例子，以防止SQL注入：

<?php 
$db = new mysqli('localhost', 'root', '', 'childrenparty'); 

if ($db->connect_errno) { 
    echo 'Failed to connect to MySQL: (' . $db->connect_errno . ') ' . $db->connect_error; 
}else{ 
    echo 'Connected successfully'; 
} 

if (isset($_POST['loginbtn'])) { 

    $username = $_POST['txtusername']; 
    $password = $_POST['txtpassword']; 

    $username = $db->escape_string($username); 
    $password = $db->escape_string($password); 

    $query = $db->prepare('SELECT * FROM clientinfo WHERE Username=? AND Password=? LIMIT 1'); 
    $query->bind_param('ss', $username, $password); 
    $query->execute(); 

    $result = $query->get_result()->fetch_row(); 

    if (null !== $result) { 
     echo "<script> alert('Successfully Logged In')</script>"; 
     echo "<script> location.href = 'home.php' </script>"; 
     exit(); 
    } 

    echo "<script> alert('Invalid Username and/or Password')</script>"; 
    exit(); 
} 

$db->close(); 

Answer 2

嗨，我已經做了一些修改到你的代碼。這應該明確的工作。如果不是問題出在你設置的$ _POST變量名上。再次檢查Sql查詢以檢查它們是否與數據庫名稱相同。我假設你只是學習編寫代碼，所以現在不推薦使用mysql，所以儘量使用mysqli函數。

更多參考退房http://php.net/manual/en/book.mysqli.php

if (isset($_POST['loginbtn'])) { 

    $username = $_POST['txtusername']; 
    $password = $_POST['txtpassword']; 

    $username = mysql_real_escape_string($username); 
    $password = mysql_real_escape_string($password); 

    $sql = "SELECT * FROM clientinfo WHERE Username = '$username' AND 
    Password = '$password' LIMIT 1"; 
    $result = mysql_query($sql); 

    if(mysql_num_rows($result) == 1) 
     { 
     echo "<script> alert('Successfully Logged In')</script>"; 
     echo "<script> location.href = 'home.php' </script>"; 
     } 
     else { 
     echo "<script> alert('Invalid Username and/or Password')</script>"; 
     } 
     } 

Answer 3

 <?php 


$db = mysql_connect('localhost','root','','childrenparty'); 


    if(!$db){die('could not connect:'.mysql_error());} 

    echo'connected successfully'; 


if (isset($_POST['loginbtn'])) { 

$username = $_POST['txtusername']; 
$password = $_POST['txtpassword']; 

    $username = mysql_real_escape_string($username); 
    $password = mysql_real_escape_string($password); 

    $sql = "SELECT * FROM clientinfo WHERE Username ='$username' AND 
    Password='$password'"; 
mysql_select_db('childrenparty'); 
    $result = mysql_query($sql); 
$count = mysql_num_rows($result); 

if($count == 1) { 
echo "<script> alert('You Have Successfully Logged In')</script>"; 
echo "<script> location.href = 'home.php' </script>"; 
exit(); 
} else { 
echo "<script> alert('Invalid Username and/or Password')</script>"; 
} 
} 

    mysql_close($db); 




?> 

這個worked.thanks人的答覆。