dppb79372 2015-10-21 19:06
浏览 38
已采纳

我一直收到用户名和密码错误的登录表单[重复]

I have scanned my code countless of times and cant figure this out at all. everytime i hit login, it return wrong password and username.

admin.php

<div class="container">
    <div class="row">
        <div class='col-md-3'></div>
        <div class="col-md-6">
            <div class="login-box well">
                    <form action="connectivity.php" method="post">
                        <legend>Sign In</legend>
                        <div class="form-group">
                            <label for="user">Username</label>
                            <input type="text" id="user" name="user" placeholder="Username"class="form-control" />
                        </div>
                        <div class="form-group">
                            <label for="pass">Password</label>
                            <input type="text" id="pass" name="pass" placeholder="Password" class="form-control" />
                        </div>
                        <div class="form-group">
                            <a href="index.php" class="btn btn-link pull-right">Return to Login</a>
                            <input name="submit" type="submit" class="btn btn-warning btn-login-submit btn-block m-t-md" value="Login" />
                        </div>
                    </form>

            </div>
        </div>
        <div class='col-md-3'></div>
    </div>
</div>

connectivity.php

<?php 
session_start();

define('DB_HOST', 'localhost'); 
define('DB_NAME', 'login-invoices'); 
define('DB_USER','root'); 
define('DB_PASSWORD',''); 

$con=mysql_connect('localhost', 'username','password', '') or die("Failed to connect to MySQL: " . mysql_error()); $db=mysql_select_db(DB_NAME,$con) or die("Failed to connect to MySQL: " . mysql_error()); 
/*
$ID = $_POST['user']; 
$Password = $_POST['pass']; 
*/
function SignIn() 
{ 
    session_start(); //starting the session for user profile page 
    if(!empty($_POST['user'])) //checking the 'user' name which is from Sign-In.html, is it empty or have some text 
    { 
        $user = $_POST[user];
        $pass = $_POST[pass];

            $query = "SELECT * FROM login where username = '$user' AND password = '$pass'";
            $query = mysql_query($query) or die(mysql_error()); 
        $row = mysql_fetch_array($query) or die(mysql_error());
        if(!empty($row['user']) AND !empty($row['pass'])) 
        {  
            header("location: Home.html");

        } else { 
            echo "SORRY... YOU ENTERD WRONG ID AND PASSWORD... PLEASE RETRY..."; 
            } 
        } 
    } 
    if(isset($_POST['submit'])) 
    { 
        SignIn(); 
    } 

?>

here is a picture of my DB database structure

Here is the table set up table

</div>
  • 写回答

1条回答 默认 最新

  • doudou8893 2015-10-21 19:08
    关注

    You have some missing quotes:

    $user = $_POST[user];
    $pass = $_POST[pass];
    

    Fixed version:

    $user = $_POST['user'];
    $pass = $_POST['pass'];
    

    And as Chris mentioned, your column names are incorrect here:

     if(!empty($row['user']) AND !empty($row['pass'])) 
    

    According to your SQL they should be:

     if(!empty($row['username']) AND !empty($row['password'])) 
    

    And lastly, have a quick online search for "SQL Inject Attacks":

    $query = "SELECT * FROM login where username = '$user' AND password = '$pass'";
    

    If I were to log in with a username of:

    '; SELECT * FROM login LIMIT 1; --
    

    I'm pretty sure I'd gain access to your system!

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥20 hc130怎么读写内部flash存储信息
  • ¥15 Axure rp9注册与登录交互
  • ¥15 我下载图形界面重启完就变成这样了,打字也打不了,动也动不了,该怎么解决(操作系统-centos)
  • ¥15 VBA中在窗体中遍历所有checkbox控件,提取出被选中的checkbox的caption值
  • ¥15 在Ubuntu上有什么命令,或者是系统文件能告诉我链接nvme ssd的pcie槽位是不是支持热插拔功能?
  • ¥15 ansys license许可证问题
  • ¥20 QQ号和密码都能正常登录微信 QQ号和密码登录微信显示密码错误
  • ¥15 qiankun主应用注册子应用提示跨域
  • ¥15 单片机RTOS Kernel与应用分离开发,Kernel如何调起应用?
  • ¥15 快手小店商家版APP怎么第三方APP跳转到指定用户聊天界面