doutuo7815 2018-02-18 13:04
浏览 566
已采纳

php mysql where语句,如果第二个条件为false,则返回true

I am running a mysql statement which actually evaluates to true despite the incorrectness of a value. Bellow is the function

<?php
public function login_user($username, $password){

      if(!empty($username) && !empty($password)){
        $sql = "SELECT * FROM `users` WHERE `user_name`='$username' AND `user_password`='$password'";
        $query = $this->link->query($sql);

        if($this->link->error){
            //return false;
            $this->log_db_error($this->link->error, $sql);
            return false;
        }
        else{

            return true;
        }
    }
    else{
      return false;
    }
  }
?>

Calling this function with the params and passing a correct username and a wrong password actually returns true, where am I messing up? Any help

  • 写回答

1条回答 默认 最新

  • dsqa6272 2018-02-18 13:14
    关注

    Because the sql query is totally valid even if the combination of username and password doesn't exist in database.

    You can achieve what you want by: Checking if query returns empty dataset.

    Some Tips: 1. Your query is prone to sql injection. It is good practice to use prepare and then bind all the input parameters. 2. It's good to keep passwords in hash (Like md5 or BCrypt) in database.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 metadata提取的PDF元数据,如何转换为一个Excel
  • ¥15 关于arduino编程toCharArray()函数的使用
  • ¥100 vc++混合CEF采用CLR方式编译报错
  • ¥15 coze 的插件输入飞书多维表格 app_token 后一直显示错误,如何解决?
  • ¥15 vite+vue3+plyr播放本地public文件夹下视频无法加载
  • ¥15 c#逐行读取txt文本,但是每一行里面数据之间空格数量不同
  • ¥50 如何openEuler 22.03上安装配置drbd
  • ¥20 ING91680C BLE5.3 芯片怎么实现串口收发数据
  • ¥15 无线连接树莓派,无法执行update,如何解决?(相关搜索:软件下载)
  • ¥15 Windows11, backspace, enter, space键失灵