donglipi4495 2014-09-06 23:51
浏览 43

当我尝试登录时,为什么脚本中的登录详细信息仍然被脚本声明为无效?

I downloaded the script from http://freestudentprojects.com on online banking. Everything seems to work except that the login pages keep saying my password and username are invalid.

None of the passwords and the loginid combinations in the SQL database is able to log me into the admin page (named: emplogin.php) Please help me know what's wrong. Is it mismatch of variables and values between the code and the database?

//emplogin.php page begins. Database is at the end of the php script.

<?php
session_start();
include("header.php");
include("dbconnection.php");
if(isset($_SESSION["employeeid"]))
{
    header("Location: employeeaccount.php");
}
if(isset($_SESSION["adminid"]))
{
    header("Location: admindashboard.php");
}

if(isset($_POST["loginadmin"]))
{
        //coding for login the employee account
    $result = mysql_query("SELECT * FROM employees
    WHERE loginid='$_POST[adminlogin]' AND password='$_POST[adminpass]'");


    if(mysql_num_rows($result) == 1)
    {
        $_SESSION["adminid"] =$_POST["adminlogin"];
        header("Location: admindashboard.php");
    }
    else
    {
        $logininfo = "Invalid Username or password entered";
    }
}

if(isset($_POST["loginemp"]))
{
        //coding for login the employee account
    $result = mysql_query("SELECT * FROM employees
    WHERE loginid='$_POST[emplogin]' AND password='$_POST[emppassword]'");


    if(mysql_num_rows($result) == 1)
    {
        $_SESSION["employeeid"] =$_POST["emplogin"];
        header("Location: employeeaccount.php");
    }
    else
    {
        $logininfo1 = "Invalid Username or password entered";
    }
}
?>
<div id="templatemo_main">
<p class="welcome_text">&quot;<strong>Administrator and Employee Login page.</strong>&quot;</p>

        <div class="col_w420 float_l">
     <div></div>
          <h2>Administrator Login page</h2>
          <div>
            <form id="form2" name="form1" method="post" action="">
              <p>
                <label for="adminlogin" class="leftal"><strong>Loginid</strong></label>
                <input name="adminlogin" type="text" id="adminlogin" size="40"  class="rightal"/>
              </p>
              <p class="cleaner_h50" id="password2">
                <label for="adminpass"  class="leftal"><strong>password</strong></label>
                <input name="adminpass" type="password" id="adminpass" class="rightal" size="40" />
              </p>
              <p class="cleaner_h50">&nbsp;<font color="#FF0000"><b><?php echo $logininfo; ?></b></font></p>
              <p class="cleaner_h50">
                <input  name="loginadmin" type="submit"   class="submit_btn float_r" id="loginadmin" value="Click here to Login"  />
              </p>
            </form>
          </div>
<h2>Employee Login page</h2>
<div>
  <form id="form1" name="form1" method="post" action="">
    <p>
      <label for="emplogin" class="leftal"><strong>Loginid</strong></label>
      <input name="emplogin" type="text" id="emplogin" size="40"  class="rightal"/>
    </p>
    <p class="cleaner_h50" id="password">
      <label for="emppassword"  class="leftal"><strong>password</strong></label>
      <input name="emppassword" type="password" id="emppassword" class="rightal" size="40" />
  </p>
    <p class="cleaner_h50">&nbsp;<font color="#FF0000"><b><?php echo $logininfo1; ?></b></font></p>
    <p class="cleaner_h50">
     <input  name="loginemp" type="submit"   class="submit_btn float_r" id="loginemp" value="Click here to Login"  />
    </p>
  </form>
</div>
<div class="button float_r"></div>

</div>
        <div class="cleaner"></div>
    </div> <!-- end of main -->
<div id="templatemo_main_bottom"></div> <!-- end of main -->
    <?php
    include("footer.php");
    ?>

//emplogin.php page ends

Below is the database for the script:

CREATE TABLE IF NOT EXISTS `employees` (
  `empid` int(10) NOT NULL AUTO_INCREMENT,
  `employee_name` varchar(25) NOT NULL,
  `loginid` varchar(25) NOT NULL,
  `password` varchar(25) NOT NULL,
  `emailid` varchar(30) NOT NULL,
  `contactno` varchar(30) NOT NULL,
  `createdat` date NOT NULL,
  `last_login` datetime NOT NULL,
  PRIMARY KEY (`empid`)
) ENGINE=InnoDB  DEFAULT CHARSET=latin1 AUTO_INCREMENT=313800 ;

--
-- Dumping data for table `employees`
--
INSERT INTO `employees` (`empid`, `employee_name`, `loginid`, `password`, `emailid`, `contactno`, `createdat`, `last_login`) VALUES
(313786, 'soudhabanu', '445545', '125487', 'soudha_ban@52yahoo.com', '9535543313', '2012-12-15', '2012-12-03 11:27:00'),
(313787, 'mahesh', 'mahesh', 'qwert', 'mahesh@gmail.com', '98478872783', '0000-00-00', '0000-00-00 00:00:00'),
(313788, 'jyothi', '3535355', '3636', 'jyothi@yahoo.com', '95425422424', '2013-01-02', '0000-00-00 00:00:00'),
(313791, 'admin', 'admin', 'admin', 'admin', 'admin', '2013-01-12', '2013-01-12 00:00:00'),
(313798, 'raj', 'rajkiran', '123456', 'abc@gmail.com', '9874563210', '2013-02-02', '0000-00-00 00:00:00'),
(313799, 'peter king', 'emp', 'emp', 'emp@gmail.com', '987456321', '2013-02-09', '0000-00-00 00:00:00');
  • 写回答

2条回答 默认 最新

  • dougao1542 2014-09-07 00:07
    关注

    The following code:

    "SELECT * FROM employees 
 WHERE loginid='$_POST[adminlogin]' AND password='$_POST[adminpass]'"

    is incorrect

    The issue is related to string concactenation, you can build the string this way:

    $sql= sprintf("SELECT * FROM employees WHERE loginid ='%s' AND password='%s'",
                mysql_real_escape_string($_POST['adminlogin']),
                mysql_real_escape_string($_POST['adminpass']));

    Using mysql_real_escape_string to avoid sql injection, and if you get a chance you should update to mysqli using prepared statements.

    评论

报告相同问题?