douzhan8652 2017-01-28 15:04
浏览 34
已采纳

创建Prepared语句以登录PHP时遇到错误

I keep running into the error where PHP says "We're sorry we can't log you in." according to one of my conditions set even if login is correct and hence my Prepared system to avoid SQL injection fails.

So my code goes like this:

global $connected;

$post = filter_var_array($_POST, FILTER_SANITIZE_STRING);
$pwwd = $post['password'];
$usrn = $post['username'];
$usrn = mysqli_real_escape_string($connected, $usrn);
$pwwd = mysqli_real_escape_string($connected, $pwwd);

if (strlen($usrn) != 0 && strlen($pwwd) != 0 && !empty($post)) {
    $usrn = stripslashes($usrn);
    $pwwd = stripslashes($pwwd);
    $hashFormat = '$2ysomenumber$';
    $salt = 'somehashobviously';
    $hashF_and_salt = $hashFormat.$salt;
    $pwwd = crypt($pwwd, $hashF_and_salt);

    if (!mysqli_connect_errno()) {
        mysqli_select_db($connected, 'someDbname') or die('Database   select error');
    } else {
        die('Failed to connect to PHPMyAdmin').mysqli_connect_error();
    }

    $query = "SELECT Username, Password FROM users WHERE Username=? AND     Password=?";

    $stmt = mysqli_stmt_init($connected);

    if (mysqli_stmt_prepare($stmt, $query)) {
        //Some error in here somewhere

        mysqli_stmt_bind_param($stmt, "ss", $usrn, $pwwd);
        mysqli_stmt_execute($stmt);

        mysqli_stmt_fetch($stmt);

        mysqli_stmt_bind_result($stmt, $check_usrn, $check_pwd);

        if (strcasecmp($usrn, $check_usrn) == 0) {
            if ($pwwd == $check_pwd) {
                echo '<h1 class="text-center">Matches</h1>';
                print_r($row);
            }

        } else {
            echo "<h1 class=text-center>We're sorry we can't log you     in.</h1>";
        }

    }

} else { //This is for strlen boolean cond
    echo "<h1 class='text-center'>Both fields must not be empty.    </h1>";
}

I used to use a login page without prepared statements which was working, but I realised I need to do this for better security. My database is working fine so the problem is near where I added the comment "//Some error in here somewhere".

I am a relatively new PHP programmer that is yet a first year student trying daring new things in the holidays! Will openly read all the help I get, thank you!

  • 写回答

1条回答 默认 最新

  • doraemon0769 2017-01-29 18:33
    关注

    First i didn't see your connection code for connection to the database which is like this. $connected = msqli_connect(host,user,password,db_name) ; than you don't need to call mysqli_select_db()function.

    Secondly you are checking your connectinon from mysqli_connect_errno() function which return 0 as integer (not boolean) if no error code value for last mysqli_connect() function.

    Third there is no need to Initializes prepare statement.

    Fourth is mysqli_stmt_bind_reslut() comes before the mysqli_stmt_fetch(). see note point in manual

    Use hash_equals() function to match password instead of ===. see the warning section in crypt

    $connected = msqli_connect(host,user,password,db_name) ;
     if(!$connected)
     {
         die('Connect Error (' . mysqli_connect_errno() . ') '. mysqli_connect_error());
     } 
        echo "Your connection is  successful . "
     if($stmt = mysqli_prepare($connected,$query))
     {
           mysqli_stmt_bind_param($stmt, "ss", $usrn, $pwwd);
           mysqli_stmt_execute($stmt);
           mysqli_stmt_bind_result($stmt, $check_usrn, $check_pwd);
           mysqli_stmt_fetch($stmt);
           /* Now do Your Work */
    
     } else 
       {
          /* still prepare statement doesn't work */
       } `
    
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥20 keepalive配置业务服务双机单活的方法。业务服务一定是要双机单活的方式
  • ¥50 关于多次提交POST数据后,无法获取到POST数据参数的问题
  • ¥15 win10,这种情况怎么办
  • ¥15 如何在配置使用Prettier的VSCode中通过Better Align插件来对齐等式?(相关搜索:格式化)
  • ¥100 在连接内网VPN时,如何同时保持互联网连接
  • ¥15 MATLAB中使用parfor,矩阵Removal的有效索引在parfor循环中受限制
  • ¥20 Win 10 LTSC 1809版本如何无损提升到20H1版本
  • ¥50 win10 LTSC 虚拟键盘不弹出
  • ¥30 微信小程序请求失败,网页能正常带锁访问
  • ¥15 Matlab求解微分方程,如何用fish2d进行预优?