duanmao1919 2015-11-24 01:02
浏览 37
已采纳

PHP MySQL登录失败

I have to create a login system using PHP and MYSQL. The user has to be granted access if his username and password exists in the database. I have the following code but after I enter the fields, it returns to the same page. I'm new to programming in php and stackoverflow. Please help.

    <?php
ini_set('display_errors',1); 
error_reporting(E_ALL);
    //Start session
    session_start();

    //Include database connection details
    require_once('config.php');

    //Array to store validation errors
    $errmsg_arr = array();

    //Validation error flag
    $errflag = false;

    //Connect to mysql server
    $link = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_DATABASE);
    if(!$link) {
        die('Failed to connect to server: ' . mysql_error());
    }

    //Select database
    $db = mysqli_select_db($link, DB_DATABASE);
    if(!$db) {
        die("Unable to select database");
    }

    //Function to sanitize values received from the form. Prevents SQL injection
    function clean($str) {
        $str = @trim($str);
        if(get_magic_quotes_gpc()) {
            $str = stripslashes($str);
        }
        return mysqli_real_escape_string($str);
    }

    //Sanitize the POST values
    $login = clean($_POST['login']);
    $password = clean($_POST['password']);

    //Input Validations
    if($login == '') {
        $errmsg_arr[] = 'Login ID missing';
        $errflag = true;
    }
    if($password == '') {
        $errmsg_arr[] = 'Password missing';
        $errflag = true;
    }

    //If there are input validations, redirect back to the login form
    if($errflag) {
        $_SESSION['ERRMSG_ARR'] = $errmsg_arr;
        session_write_close();
        header("location: index.php");
        exit();
    }

    //Create query

    $result=mysqli_query("SELECT * FROM login-teachers WHERE login=$login AND password=".md5($_POST['password'])."");

    //Check whether the query was successful or not
    if($result) {
        if(mysqli_num_rows($result) == 1) {
            //Login Successful
            session_regenerate_id();
            $member = mysqli_fetch_assoc($result);
            $_SESSION['SESS_USERNAME'] = $member['member_id'];
            $_SESSION['SESS_FIRST_NAME'] = $member['firstname'];
            $_SESSION['SESS_LAST_NAME'] = $member['lastname'];
            session_write_close();
            header("location: member-index.php");
            exit();
        }else {
            //Login failed
            header("location: login-failed.php");
            exit();
        }
    }else {
        die("Query failed");
    }
?>
  • 写回答

1条回答 默认 最新

  • drnf09037160 2015-11-24 01:19
    关注

    As I stated in comments:

    You're also not connecting here $result=mysqli_query("SELECT...

    Then we have this SELECT * FROM login-teachers you are using a hyphen. It must be ticked.

    SELECT * FROM `login-teachers`
    • MySQL will interpret that as "login MINUS teachers" and thinking you want to do math.

    Having checked for errors, that alone would have thrown you a syntax error.

    Sidenote: To avoid ticking, rename your table using an underscore as a seperator, the choice is yours login_teachers.

    This AND password=".md5($_POST['password'])."" that is a string.

    It needs to read as AND password='".md5($_POST['password'])."'

    Sidenote: If $login is a string, then that too needs to be quoted.

    Yet, I would totally get rid of that MD5 altogether for password hashing.

    You're using MD5 which isn't considered safe to use as a password hashing function. If it's for your own personal use or educational purposes and won't see the light of day on the Web, fine.

    • Just don't go LIVE with this.

    Use one of the following:

    Other links:

    Plus, it's unsure if you did save that hash in the first place and if the column's type is correct and its length long enough to hold the hash.

    Also unsure if your POST arrays do hold values and that your form has a POST method. Use a conditional !empty() against those.

    Check for errors.

    Add error reporting to the top of your file(s) which will help find errors.

    <?php 
error_reporting(E_ALL);
ini_set('display_errors', 1);

// rest of your code

    Sidenote: Displaying errors should only be done in staging, and never production.

    Also add or die(mysqli_error($link)) to mysqli_query().

    Then this die("Unable to select database"); get the real error mysqli_error($link) should there be any.

    Added note:

    I don't know you're using this below, you already declared all 4 parameters above it and it can safely be removed:

    $db = mysqli_select_db($link, DB_DATABASE);
if(!$db) {
    die("Unable to select database");
}

    and make sure those constants are correctly defined.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 mmocr的训练错误,结果全为0
  • ¥15 python的qt5界面
  • ¥15 无线电能传输系统MATLAB仿真问题
  • ¥50 如何用脚本实现输入法的热键设置
  • ¥20 我想使用一些网络协议或者部分协议也行,主要想实现类似于traceroute的一定步长内的路由拓扑功能
  • ¥30 深度学习,前后端连接
  • ¥15 孟德尔随机化结果不一致
  • ¥15 apm2.8飞控罗盘bad health,加速度计校准失败
  • ¥15 求解O-S方程的特征值问题给出边界层布拉休斯平行流的中性曲线
  • ¥15 谁有desed数据集呀