我正在建立一个与数据库链接的登录系统,我想在从数据库中检查数据后显示一个html文件。因此,我使用了(include方法),它向我显示了控制台中不在Web上的html文件。页。我已经尝试使用(require方法)并将其更改为php文件,并且仍在执行相同操作。<?php$dbsevername = "127.0.0.1";$dbusername = "root";$dbpassword = "**************";$dbname = "loginsystem";$dbport = '3306';$username = $_POST['username'];$password = $_POST['password'];$_SESSION["favcolor"] = "green";$conn = mysqli_connect($dbsevername, $dbusername, $dbpassword,$dbname);$sql = "SELECT * FROM passwords where username='$username' and password='$password';";$result = mysqli_query($conn, $sql);$resultCheck = mysqli_num_rows($result); // = 2if ($resultCheck > 0) { while($row = mysqli_fetch_assoc($result)){ if ($row['username'] == $username && $row['password'] == $password) { include("true.html"); } }}else { include("false.html");}mysqli_close($conn);?>我想在检查数据时打开(true.php)或(false.php)。
3 回答
慕少森
TA贡献2019条经验 获得超9个赞
$uid = $_POST['uid'];
$pwd = $_POST['pwd'];
if ($uid == null){
header("Location: ../index.php?message=ERROR 001 - Username or Password can not be
blank!");
exit();
}
if ($pwd == null){
header("Location: ../index.php?message=ERROR 001 - Username or Password can not
be blank!");
exit();
}
if ($stmt = $link->prepare("SELECT password FROM users WHERE username=?")) {
$stmt->bind_param("s", $uid);
$stmt->execute();
$stmt->bind_result($pass);
$stmt->fetch();
$stmt->close();
}
if (!$stmt) {
header("Location: ../index.php?message=ERROR 003 - Connection to the database could
not be established!");
exit();
}
$hash_pwd = $pass;
if ($hash_pwd == crypt($pwd, $hash_pwd)){
$decrypt = 1;
}else{
$decrypt = 0;
}
if ($decrypt == 0){
include ("false.html");
exit();
} else {
$stmt = $link->prepare("SELECT id FROM users WHERE username='$uid' AND password=?");
$stmt->bind_param("s", $hash_pwd);
$stmt->execute();
$stmt->bind_result($id);
$stmt->fetch();
$stmt->close();
$_SESSION['id'] = $id;
include ("true.html");
}
这应该更好地工作。您必须更改数据库的相关详细信息。我已开始为您存储ID的会话变量。
莫回无
TA贡献1865条经验 获得超7个赞
我想在检查数据时打开(true.php)或(false.php)。
我认为您在这里是一个新手的常见疏忽,因为此刻您仅检查数据是否正确,而不处理其他任何事情:我在下面的代码中进行了注释,以证明我的意思。
//if there is at least 1 result then check the data otherwise include false
if ($resultCheck > 0) {
//while we go through the results check each one
while($row = mysqli_fetch_assoc($result)){
//if the username and password match include true.html
//however you don't break out of the loop, you keep checking
//if you have decided to include true you should use break;
if ($row['username'] == $username && $row['password'] == $password) {
include("true.html");
}
//otherwise do what? this should say else include false and then should probably break out the loop here as the
//this will not fall through into the else block below as that is based on the parent condition
//so you will never include a false in this loop - only if there were 0 rows to begin with
//this means that eventually, whenever our loop finishes we will skip
//down to the next executionable line which is marked with !!!
}
}else {
include("false.html");
}
//!!!
您的代码还有其他一些明显的问题,例如您似乎将密码存储在数据库中的痛苦文本中,应该对它们进行哈希处理和验证,因此,您永远不能只看密码行==输入,我建议谷歌搜索php函数password_hash和password_verify
您也不应该使用while循环,在您的登录系统中,您必须具有唯一的用户名和密码组合,因此您应该只返回1行-如果您有多于1行,如何确认他们是谁?因此,您应该使用与pdo-> fetch()相当的mysqli等效项(我不知道是副手,因为我仅使用pdo)
这使我想到了一个事实,您应该使用准备好的语句来打击sql注入,此刻,此登录系统可以轻松地用于使某人完全访问所有以纯文本存储的用户名和密码。
qq_笑_17
TA贡献1818条经验 获得超7个赞
我会将HTML文件重命名为PHP。
这实际上是您的代码吗?只是检查一下,因为文件是否为远程URL会有所不同。
您正在使用while循环来包含一个只会产生1个结果的HTML文件。有更好的方法可以做到这一点,但是无论这是否可行,这都不是问题。有什么错误吗?
尝试
include './true.php';
代替
include ("true.html");- 3 回答
- 0 关注
- 147 浏览
添加回答
举报
0/150
提交
取消