douzhan8652 2017-01-28 15:04
浏览 34
已采纳

创建Prepared语句以登录PHP时遇到错误

I keep running into the error where PHP says "We're sorry we can't log you in." according to one of my conditions set even if login is correct and hence my Prepared system to avoid SQL injection fails.

So my code goes like this:

global $connected;

$post = filter_var_array($_POST, FILTER_SANITIZE_STRING);
$pwwd = $post['password'];
$usrn = $post['username'];
$usrn = mysqli_real_escape_string($connected, $usrn);
$pwwd = mysqli_real_escape_string($connected, $pwwd);

if (strlen($usrn) != 0 && strlen($pwwd) != 0 && !empty($post)) {
    $usrn = stripslashes($usrn);
    $pwwd = stripslashes($pwwd);
    $hashFormat = '$2ysomenumber$';
    $salt = 'somehashobviously';
    $hashF_and_salt = $hashFormat.$salt;
    $pwwd = crypt($pwwd, $hashF_and_salt);

    if (!mysqli_connect_errno()) {
        mysqli_select_db($connected, 'someDbname') or die('Database   select error');
    } else {
        die('Failed to connect to PHPMyAdmin').mysqli_connect_error();
    }

    $query = "SELECT Username, Password FROM users WHERE Username=? AND     Password=?";

    $stmt = mysqli_stmt_init($connected);

    if (mysqli_stmt_prepare($stmt, $query)) {
        //Some error in here somewhere

        mysqli_stmt_bind_param($stmt, "ss", $usrn, $pwwd);
        mysqli_stmt_execute($stmt);

        mysqli_stmt_fetch($stmt);

        mysqli_stmt_bind_result($stmt, $check_usrn, $check_pwd);

        if (strcasecmp($usrn, $check_usrn) == 0) {
            if ($pwwd == $check_pwd) {
                echo '<h1 class="text-center">Matches</h1>';
                print_r($row);
            }

        } else {
            echo "<h1 class=text-center>We're sorry we can't log you     in.</h1>";
        }

    }

} else { //This is for strlen boolean cond
    echo "<h1 class='text-center'>Both fields must not be empty.    </h1>";
}

I used to use a login page without prepared statements which was working, but I realised I need to do this for better security. My database is working fine so the problem is near where I added the comment "//Some error in here somewhere".

I am a relatively new PHP programmer that is yet a first year student trying daring new things in the holidays! Will openly read all the help I get, thank you!

  • 写回答

1条回答 默认 最新

  • doraemon0769 2017-01-29 18:33
    关注

    First i didn't see your connection code for connection to the database which is like this. $connected = msqli_connect(host,user,password,db_name) ; than you don't need to call mysqli_select_db()function.

    Secondly you are checking your connectinon from mysqli_connect_errno() function which return 0 as integer (not boolean) if no error code value for last mysqli_connect() function.

    Third there is no need to Initializes prepare statement.

    Fourth is mysqli_stmt_bind_reslut() comes before the mysqli_stmt_fetch(). see note point in manual

    Use hash_equals() function to match password instead of ===. see the warning section in crypt 

    $connected = msqli_connect(host,user,password,db_name) ;
 if(!$connected)
 {
     die('Connect Error (' . mysqli_connect_errno() . ') '. mysqli_connect_error());
 } 
    echo "Your connection is  successful . "
 if($stmt = mysqli_prepare($connected,$query))
 {
       mysqli_stmt_bind_param($stmt, "ss", $usrn, $pwwd);
       mysqli_stmt_execute($stmt);
       mysqli_stmt_bind_result($stmt, $check_usrn, $check_pwd);
       mysqli_stmt_fetch($stmt);
       /* Now do Your Work */

 } else 
   {
      /* still prepare statement doesn't work */
   } `
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥100 set_link_state
  • ¥15 虚幻5 UE美术毛发渲染
  • ¥15 CVRP 图论 物流运输优化
  • ¥15 Tableau online 嵌入ppt失败
  • ¥100 支付宝网页转账系统不识别账号
  • ¥15 基于单片机的靶位控制系统
  • ¥15 真我手机蓝牙传输进度消息被关闭了,怎么打开?(关键词-消息通知)
  • ¥15 装 pytorch 的时候出了好多问题,遇到这种情况怎么处理?
  • ¥20 IOS游览器某宝手机网页版自动立即购买JavaScript脚本
  • ¥15 手机接入宽带网线,如何释放宽带全部速度