duanmao1919 2015-11-24 01:02
浏览 37
已采纳

PHP MySQL登录失败

I have to create a login system using PHP and MYSQL. The user has to be granted access if his username and password exists in the database. I have the following code but after I enter the fields, it returns to the same page. I'm new to programming in php and stackoverflow. Please help.

    <?php
ini_set('display_errors',1); 
error_reporting(E_ALL);
    //Start session
    session_start();

    //Include database connection details
    require_once('config.php');

    //Array to store validation errors
    $errmsg_arr = array();

    //Validation error flag
    $errflag = false;

    //Connect to mysql server
    $link = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_DATABASE);
    if(!$link) {
        die('Failed to connect to server: ' . mysql_error());
    }

    //Select database
    $db = mysqli_select_db($link, DB_DATABASE);
    if(!$db) {
        die("Unable to select database");
    }

    //Function to sanitize values received from the form. Prevents SQL injection
    function clean($str) {
        $str = @trim($str);
        if(get_magic_quotes_gpc()) {
            $str = stripslashes($str);
        }
        return mysqli_real_escape_string($str);
    }

    //Sanitize the POST values
    $login = clean($_POST['login']);
    $password = clean($_POST['password']);

    //Input Validations
    if($login == '') {
        $errmsg_arr[] = 'Login ID missing';
        $errflag = true;
    }
    if($password == '') {
        $errmsg_arr[] = 'Password missing';
        $errflag = true;
    }

    //If there are input validations, redirect back to the login form
    if($errflag) {
        $_SESSION['ERRMSG_ARR'] = $errmsg_arr;
        session_write_close();
        header("location: index.php");
        exit();
    }

    //Create query

    $result=mysqli_query("SELECT * FROM login-teachers WHERE login=$login AND password=".md5($_POST['password'])."");

    //Check whether the query was successful or not
    if($result) {
        if(mysqli_num_rows($result) == 1) {
            //Login Successful
            session_regenerate_id();
            $member = mysqli_fetch_assoc($result);
            $_SESSION['SESS_USERNAME'] = $member['member_id'];
            $_SESSION['SESS_FIRST_NAME'] = $member['firstname'];
            $_SESSION['SESS_LAST_NAME'] = $member['lastname'];
            session_write_close();
            header("location: member-index.php");
            exit();
        }else {
            //Login failed
            header("location: login-failed.php");
            exit();
        }
    }else {
        die("Query failed");
    }
?>
  • 写回答

1条回答 默认 最新

  • drnf09037160 2015-11-24 01:19
    关注

    As I stated in comments:

    You're also not connecting here $result=mysqli_query("SELECT...

    Then we have this SELECT * FROM login-teachers you are using a hyphen. It must be ticked.

    SELECT * FROM `login-teachers`
    • MySQL will interpret that as "login MINUS teachers" and thinking you want to do math.

    Having checked for errors, that alone would have thrown you a syntax error.

    Sidenote: To avoid ticking, rename your table using an underscore as a seperator, the choice is yours login_teachers.

    This AND password=".md5($_POST['password'])."" that is a string.

    It needs to read as AND password='".md5($_POST['password'])."'

    Sidenote: If $login is a string, then that too needs to be quoted.

    Yet, I would totally get rid of that MD5 altogether for password hashing.

    You're using MD5 which isn't considered safe to use as a password hashing function. If it's for your own personal use or educational purposes and won't see the light of day on the Web, fine.

    • Just don't go LIVE with this.

    Use one of the following:

    Other links:

    Plus, it's unsure if you did save that hash in the first place and if the column's type is correct and its length long enough to hold the hash.

    Also unsure if your POST arrays do hold values and that your form has a POST method. Use a conditional !empty() against those.

    Check for errors.

    Add error reporting to the top of your file(s) which will help find errors.

    <?php 
error_reporting(E_ALL);
ini_set('display_errors', 1);

// rest of your code

    Sidenote: Displaying errors should only be done in staging, and never production.

    Also add or die(mysqli_error($link)) to mysqli_query().

    Then this die("Unable to select database"); get the real error mysqli_error($link) should there be any.

    Added note:

    I don't know you're using this below, you already declared all 4 parameters above it and it can safely be removed:

    $db = mysqli_select_db($link, DB_DATABASE);
if(!$db) {
    die("Unable to select database");
}

    and make sure those constants are correctly defined.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 装 pytorch 的时候出了好多问题,遇到这种情况怎么处理?
  • ¥20 IOS游览器某宝手机网页版自动立即购买JavaScript脚本
  • ¥15 手机接入宽带网线,如何释放宽带全部速度
  • ¥30 关于#r语言#的问题:如何对R语言中mfgarch包中构建的garch-midas模型进行样本内长期波动率预测和样本外长期波动率预测
  • ¥15 ETLCloud 处理json多层级问题
  • ¥15 matlab中使用gurobi时报错
  • ¥15 这个主板怎么能扩出一两个sata口
  • ¥15 不是,这到底错哪儿了😭
  • ¥15 2020长安杯与连接网探
  • ¥15 关于#matlab#的问题:在模糊控制器中选出线路信息,在simulink中根据线路信息生成速度时间目标曲线(初速度为20m/s,15秒后减为0的速度时间图像)我想问线路信息是什么