我为我的 signin.php 文件编写了 php 代码,我的查询适用于我的用户名,但是当我输入密码变量时,它没有做任何事情。我希望用户输入用户名和密码,因为要进入受限页面,他们只需要输入用户名和密码即可。它检查用户名是否在数据库表中,如果是,则转到受限页面。我发布了这样的问题,得到了很好的答案,但我不知道将信息放在哪里,这是我的 process.php :
<?php
include("db.php");
$username = $_POST['username'];
$pw = $_POST['StorePassword'];
if ( isset( $_POST['login'] ) ) {
$query = mysqli_query($conn, "SELECT * FROM users WHERE username='".$username."' StorePassword='".$pw."' ");
$StorePassword = password_hash($pw, PASSWORD_BCRYPT, array('cost' => 8));
if ( mysqli_num_rows($query) > 0 ) {
while ( $row = mysqli_fetch_assoc( $query ) ) {
if ( $row['StorePassword'] == $pw ) {
header("Location: home.php");
} else {
echo "Wrong password";
}
}
} else {
echo "User not found <br />";
}
if(empty($pw)){
echo"Please enter your password.";
} else{
}
}
?>
<html>
<body>
<a href="signin.php">Please try again</a>
</body>
</html>
最佳答案
首先你应该使用prepared statements为了安全。
第 1 步:您要检查是否已输入用户名和密码:
if ( !isset($_POST['username'], $_POST['password']) ) {
// Could not get the data that should have been sent.
die ('You must enter a username and password!');
}
第 2 步:根据您的数据库检查用户名:
if ($stmt = $conn->prepare('SELECT password FROM users WHERE username = ?')) {
// Bind parameters (s = string, i = int, b = blob, etc), hash the password using the PHP password_hash function.
$username = $_POST['username'];
$stmt->bind_param('s', $username);
if(!$stmt->execute()){
trigger_error("there was an error....".$mysqli->error, E_USER_WARNING);
}
$stmt->store_result();
第 3 步: 检查密码匹配 ( Php manual for password_verify ) :
if ($stmt->num_rows > 0) {
$stmt->bind_result($password);
$stmt->fetch();
// Account exists, now we verify the password.
if (password_verify($_POST['password'], $password)) {
// Verification success! User has loggedin!
header("Location: home.php");
} else {
echo 'Incorrect username and/or password!';
}
} else {
echo 'User doesnt exist';
}
$stmt->close();
一起:
<?php
session_start();
include("db.php");
if ( !isset($_POST['username'], $_POST['password']) ) {
// Could not get the data that should have been sent.
die ('Username and/or password not set');
}
// Prepare our SQL
if ($stmt = $mysqli->prepare('SELECT password FROM users WHERE username = ?')) {
// Bind parameters (s = string, i = int, b = blob, etc), hash the password using the PHP password_hash function.
$username = $_POST['username'];
$username = strtolower($username);
$stmt->bind_param('s', $username);
if(!$stmt->execute()){
trigger_error("there was an error....".$mysqli->error, E_USER_WARNING);
}
$stmt->store_result();
// Store the result so we can check if the account exists in the database.
if ($stmt->num_rows > 0) {
$stmt->bind_result($password);
$stmt->fetch();
// Account exists, now we verify the password.
if (password_verify($_POST['password'], $password)) {
// Verification success! User has loggedin!
header("Location: home.php");
} else {
echo 'Incorrect username and/or password!';
}
} else {
echo 'Incorrect username blar password!';
}
$stmt->close();
} else {
echo 'Could not prepare statement!';
}
?>
查看有关准备语句的 php 指南 http://php.net/manual/en/mysqli.quickstart.prepared-statements.php
关于php - 登录系统密码和用户名,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/33461971/