php - $data=mysqli_fetch_array($result) 不起作用

Question

我试图在 php 中创建一个与 mysql 数据库连接的登录页面..下面是登录页面的 html 代码，在其中输入值，然后定向到 php 的第二页，在其中检查它们..

<html>
<head>
    <title>Library Login</title>
    <link rel="stylesheet" type="text/css" href="css/reset.css">
    <link rel="stylesheet" type="text/css" href="css/structure.css">
</head>
<body>
    <form class="box login" method="GET" action="http://localhost/redirect.php">
        <label align="center"><font size="6" color="grey">Library System</font></label>
        <fieldset class="boxBody">
        <label>Username</label>
        <input type="text"  placeholder="Username" required name="username">
        <label><a href="#" class="rLink" tabindex="5" ></a>Password</label>
        <input type="password" placeholder="Password" required name="password">
        <input type="submit" class="btnLogin" value="Login"  name="login">
        <input type="reset" class="btnLogin" value="Reset"  name="reset" >
        <label>
    </form>
</html>
</div>

下面是第二页的代码，无论输入什么条目，都只执行 else 条件...我是 Php 和 Mysql 新手...请帮助我...

<?php
$con=mysqli_connect("localhost","root","","project");

if(mysqli_connect_errno())
{
    echo "failed".mysqli_connect_errno();
}

$uid=$_GET['username'];
$pass=$_GET['password'];
$sql="SELECT *FROM login";
$result=mysqli_query($con,$sql);

while($data=mysqli_fetch_array($result))
{
    if($uid==$data['user'] and $pass==$data['pass'])
    {
        header('location:http://localhost/error/index.html');
    }
    else
    {
        header('location:http://localhost/mam.html');
    }
}

mysqli_close($con);
?>

Answer 1

好的，当您处理身份验证时，让我们稍微改进一下您的代码。

<?php

// Do not connect using root, especially when not setting a password:
$con=mysqli_connect("localhost","projectuser","password","project");
if(mysqli_connect_errno())
{
echo "failed".mysqli_connect_errno();
}

$uid = $_GET['username'];
$pass = $_GET['password'];

// This is the main problem, there was a typo:
$sql = "SELECT * FROM login";

// Directly ask the DB if the credentials are correct.
// Then you do not need the loop below.
// BUT: Do not forget to escape the data in this case!
$sql .= " WHERE uid = '" . mysqli_real_escape_string($uid) . "' AND pass = '" . mysqli_real_escape_string($pass) . "'";

$result=mysqli_query($con,$sql);
if ($result->num_rows === 1) {
    header('location:http://localhost/mam.html');
} else {
    header('location:http://localhost/error/index.html');
}
mysqli_close($con);
?>

进一步的改进是对数据库中的密码进行散列(和加盐)。

此外，正如 VMai 指出的那样，使用准备好的语句是合适的。