douzhan8652 2017-01-28 15:04
浏览 34
已采纳

创建Prepared语句以登录PHP时遇到错误

I keep running into the error where PHP says "We're sorry we can't log you in." according to one of my conditions set even if login is correct and hence my Prepared system to avoid SQL injection fails.

So my code goes like this:

global $connected;

$post = filter_var_array($_POST, FILTER_SANITIZE_STRING);
$pwwd = $post['password'];
$usrn = $post['username'];
$usrn = mysqli_real_escape_string($connected, $usrn);
$pwwd = mysqli_real_escape_string($connected, $pwwd);

if (strlen($usrn) != 0 && strlen($pwwd) != 0 && !empty($post)) {
    $usrn = stripslashes($usrn);
    $pwwd = stripslashes($pwwd);
    $hashFormat = '$2ysomenumber$';
    $salt = 'somehashobviously';
    $hashF_and_salt = $hashFormat.$salt;
    $pwwd = crypt($pwwd, $hashF_and_salt);

    if (!mysqli_connect_errno()) {
        mysqli_select_db($connected, 'someDbname') or die('Database   select error');
    } else {
        die('Failed to connect to PHPMyAdmin').mysqli_connect_error();
    }

    $query = "SELECT Username, Password FROM users WHERE Username=? AND     Password=?";

    $stmt = mysqli_stmt_init($connected);

    if (mysqli_stmt_prepare($stmt, $query)) {
        //Some error in here somewhere

        mysqli_stmt_bind_param($stmt, "ss", $usrn, $pwwd);
        mysqli_stmt_execute($stmt);

        mysqli_stmt_fetch($stmt);

        mysqli_stmt_bind_result($stmt, $check_usrn, $check_pwd);

        if (strcasecmp($usrn, $check_usrn) == 0) {
            if ($pwwd == $check_pwd) {
                echo '<h1 class="text-center">Matches</h1>';
                print_r($row);
            }

        } else {
            echo "<h1 class=text-center>We're sorry we can't log you     in.</h1>";
        }

    }

} else { //This is for strlen boolean cond
    echo "<h1 class='text-center'>Both fields must not be empty.    </h1>";
}

I used to use a login page without prepared statements which was working, but I realised I need to do this for better security. My database is working fine so the problem is near where I added the comment "//Some error in here somewhere".

I am a relatively new PHP programmer that is yet a first year student trying daring new things in the holidays! Will openly read all the help I get, thank you!

  • 写回答

1条回答 默认 最新

  • doraemon0769 2017-01-29 18:33
    关注

    First i didn't see your connection code for connection to the database which is like this. $connected = msqli_connect(host,user,password,db_name) ; than you don't need to call mysqli_select_db()function.

    Secondly you are checking your connectinon from mysqli_connect_errno() function which return 0 as integer (not boolean) if no error code value for last mysqli_connect() function.

    Third there is no need to Initializes prepare statement.

    Fourth is mysqli_stmt_bind_reslut() comes before the mysqli_stmt_fetch(). see note point in manual

    Use hash_equals() function to match password instead of ===. see the warning section in crypt

    $connected = msqli_connect(host,user,password,db_name) ;
     if(!$connected)
     {
         die('Connect Error (' . mysqli_connect_errno() . ') '. mysqli_connect_error());
     } 
        echo "Your connection is  successful . "
     if($stmt = mysqli_prepare($connected,$query))
     {
           mysqli_stmt_bind_param($stmt, "ss", $usrn, $pwwd);
           mysqli_stmt_execute($stmt);
           mysqli_stmt_bind_result($stmt, $check_usrn, $check_pwd);
           mysqli_stmt_fetch($stmt);
           /* Now do Your Work */
    
     } else 
       {
          /* still prepare statement doesn't work */
       } `
    
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 三极管电路求解,已知电阻电压和三级关放大倍数
  • ¥15 ADS时域 连续相位观察方法
  • ¥15 Opencv配置出错
  • ¥15 模电中二极管,三极管和电容的应用
  • ¥15 关于模型导入UNITY的.FBX: Check external application preferences.警告。
  • ¥15 气象网格数据与卫星轨道数据如何匹配
  • ¥100 java ee ssm项目 悬赏,感兴趣直接联系我
  • ¥15 微软账户问题不小心注销了好像
  • ¥15 x264库中预测模式字IPM、运动向量差MVD、量化后的DCT系数的位置
  • ¥15 curl 命令调用正常,程序调用报 java.net.ConnectException: connection refused