我一生都无法弄清楚为什么这段代码不起作用。我对 MySQL 查询很陌生,所以我可能在那里做错了什么。
这是我的login.php
<?php
/**
* Created by PhpStorm.
* User: Michael
* Date: 10/25/2015
* Time: 4:35 AM
*/
require 'connect.php';
if(empty($_POST['Login_Username']) || empty($_POST['Login_Password'])){
header("Location: http://www.socksdevsite.com/PHP_Files/Display_Files/Login/displayloginfailed.php");
} else {
$username = "'DevSock'";
if($db->query('SELECT username FROM users WHERE username = $username')){
echo "Found user";
}else {
echo "Didn't find user";
}
}
我的connect.php
<?php
/**
* Created by PhpStorm.
* User: Michael
* Date: 10/25/2015
* Time: 11:58 AM
*/
$db = mysqli_connect('127.0.0.1', 'username', 'password') or die("Error logging in. Please notify an administrator!");
$db->select_db('Website_Storage');
echo "Connected and DB selected <br>";
最后是我的 phpMyAdmin 的屏幕截图。
最佳答案
首先您的问题如下:
WHERE username =$username'
其次将代码更改为:
WHERE username ='$username'"
因为$username是一个字符串,查看when to use single and double quotes
最后您应该为登录系统使用准备好的语句,您已经在使用 mysqli_ 所以转换应该不会太困难。 类似这样的:
if ($stmt = $mysqli->prepare('SELECT password FROM users WHERE username = ?')) {
// Bind parameters (s = string, i = int, b = blob, etc), hash the password using the PHP password_hash function.
$username = $_POST['username'];
$stmt->bind_param('s', $username);
if(!$stmt->execute()){
trigger_error("there was an error....".$mysqli->error, E_USER_WARNING);
}
$stmt->store_result();
您还可以使用 PDO!看看这个,Stackoverflow on PDO and mysqli pros and cons
查看 Stopping SQL injections 上的这个问题
关于php - 为什么我的 mysqli 登录验证不起作用?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/33334580/