douzhao4071 2015-11-07 10:44
浏览 55
已采纳

PHP数据库登录脚本问题

My login page for future users is allowing any username and any password access. This code is in a file called Login.php and should direct you to Account.php But it is taking you there regardless of what you type in the forms. 

<?php
require 'Connections/Connections.php';
include('header.php');
?>

<?php

if(isset($_POST['Login'])){

    $UN= $_POST['Username'];
    $PW = $_POST['Password'];

    $result = $con->query("Select * from users where Username='$UN' AND Password='$PW'");

    $row = $result->fetch_array(MYSQLI_BOTH);

    $_SESSION["UserID"] = $row['UserID'];

    header('Location: Account.php');
}
?>

<!doctype html>
<html>
<head>
    <meta http-equiv='Content-Type' content='text/html; charset=utf-8'/>
    <link href="style/UserStyle.css" rel="stylesheet" type="text/css" />
    <title>Register</title>
</head>

<body>
    <form action="" method="post" name="LoginForm" id="LoginForm">

        <div class="FormElement">
            <input name="Username" type="text" required="required" class="TField" id="Username" placeholder="Username">
        </div>

        <div class="FormElement">
            <input name="Password" type="Password" required="required" class="TField" id="Password" placeholder="Password">
        </div>

        <div class="FormElement">
            <input name="Login" type="submit" class="button" id="Login" placeholder="Login">
        </div>
</body>

The connection.php that connects to my database and creates the variable $con

<?php
mysql_connect("localhost", "MyRealUsername", "MyRealPassword"); 
mysql_select_db("Registration"); 
$con = mysqli_connect("localhost", "MyRealUsername", "MyRealPassword", "Registration");
?>

Thank you very much for any help!

  • 写回答

3条回答 默认 最新

  • douyan2680 2015-11-07 11:05
    关注

    Please make following changes in your php code . You are currently only checking for post variable and authenticating user. After fetching values from database please check result array and then redirect to Account.php if user exists in database else redirect to Login.php 

    <?php

if(isset($_POST['Login'])){

    $UN= $_POST['Username'];
    $PW = $_POST['Password'];

    $result = $con->query("Select * from users where Username='$UN' AND Password='$PW'");

    $row = $result->fetch_array(MYSQLI_BOTH);

    if( isset($row) &&  $row['UserID'] != "" ){ // authenticated user, redirect to account page
    $_SESSION["UserID"] = $row['UserID'];

    header('Location: Account.php');

    }else{ // redirect to login page
        header('Location: Login.php');

    }
}
?>

    Also Please sanitize input values in query string to prevent sql injection as below. 

        $UN= $con->real_escape_string($_POST['Username']);
    $PW = $con->real_escape_string($_POST['Password']);

$result = $con->query("Select * from users where Username='$UN' AND Password='$PW'");
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

悬赏问题

  • ¥15 华为ensp模拟器中S5700交换机在配置过程中老是反复重启
  • ¥15 java写代码遇到问题,求帮助
  • ¥15 uniapp uview http 如何实现统一的请求异常信息提示?
  • ¥15 有了解d3和topogram.js库的吗?有偿请教
  • ¥100 任意维数的K均值聚类
  • ¥15 stamps做sbas-insar,时序沉降图怎么画
  • ¥15 买了个传感器,根据商家发的代码和步骤使用但是代码报错了不会改,有没有人可以看看
  • ¥15 关于#Java#的问题,如何解决?
  • ¥15 加热介质是液体,换热器壳侧导热系数和总的导热系数怎么算
  • ¥100 嵌入式系统基于PIC16F882和热敏电阻的数字温度计