doujimiao7480 2018-07-26 20:52
浏览 68
已采纳

使用php从不同的表登录

Good evening, I am just trying out something new (to me atleast) on how to login from different tables. Table1 has the cand_id (username) while Table2 has the pincode (password). The server doesn't display any error when I try to login but its not working. My code below:

if (isset($_POST['cand_id'])) {
    //escapes special characters in a string
    $cand_id = mysqli_real_escape_string($con,$cand_id);
    $pincode = mysqli_real_escape_string($con,$pincode);

    //Checking is user existing in the database or not
    $query = "SELECT cand_id 
              FROM candidates 
              WHERE cand_id='$cand_id' 
              UNION 
              SELECT pincode 
              FROM cand_login 
              WHERE pincode='$pincode'";
    $result = mysqli_query($con,$query) or die(mysql_error());
    $rows = mysqli_num_rows($result);

    if($rows==1) {
        $_SESSION['cand_id'] = $cand_id;
        // Redirect user to index.php
        header("Location: home.php");
    } else {
        echo "<div class='form'>
              <h3>cand_id/pincode is incorrect.</h3>
              <br/>Click here to <a href='log.php'>Login</a></div>";
    }
} else {
}

What do I need to make this work?

  • 写回答

1条回答 默认 最新

  • duanrang2627 2018-07-26 21:05
    关注

    Lots of things wrong here.

    • SQL injection. See comment above. Don't rely on the real_escape_string() functions to prevent SQL injection, they alone are not sufficient.
    • You're doing a UNION which would normally return two rows but you're explicitly checking for one row. If you change the code to check for two rows then you have even bigger problems:
      • Since you're pulling any row that matches the userid and then any row that matches the PIN, this would allow any user to login with any PIN.
      • UNION removes duplicates. Which means if a user has the same PIN as their userid, the query will get reduced to a single row and the login would fail.
      • If you use then UNION ALL to not remove duplicates, then you'll potentially get more than one row when people have the same PIN. I.e., as soon as somebody creates a PIN that somebody else has, then nobody with that PIN will be able to login.
    • You need to either JOIN the tables or use a WHERE clause on the cand_login table to ensure that the rows you're selecting pertain only to the one user that's logging in. Right now you're asking "Does this user exist, and does this PIN exist?" You need to ask "Does this user exist and does this user's PIN match what I was given?"
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 基于卷积神经网络的声纹识别
  • ¥15 Python中的request,如何使用ssr节点,通过代理requests网页。本人在泰国,需要用大陆ip才能玩网页游戏,合法合规。
  • ¥100 为什么这个恒流源电路不能恒流?
  • ¥15 有偿求跨组件数据流路径图
  • ¥15 写一个方法checkPerson,入参实体类Person,出参布尔值
  • ¥15 我想咨询一下路面纹理三维点云数据处理的一些问题,上传的坐标文件里是怎么对无序点进行编号的,以及xy坐标在处理的时候是进行整体模型分片处理的吗
  • ¥15 CSAPPattacklab
  • ¥15 一直显示正在等待HID—ISP
  • ¥15 Python turtle 画图
  • ¥15 stm32开发clion时遇到的编译问题