douzhao4071 2015-11-07 10:44
浏览 55
已采纳

PHP数据库登录脚本问题

My login page for future users is allowing any username and any password access. This code is in a file called Login.php and should direct you to Account.php But it is taking you there regardless of what you type in the forms. 

<?php
require 'Connections/Connections.php';
include('header.php');
?>

<?php

if(isset($_POST['Login'])){

    $UN= $_POST['Username'];
    $PW = $_POST['Password'];

    $result = $con->query("Select * from users where Username='$UN' AND Password='$PW'");

    $row = $result->fetch_array(MYSQLI_BOTH);

    $_SESSION["UserID"] = $row['UserID'];

    header('Location: Account.php');
}
?>

<!doctype html>
<html>
<head>
    <meta http-equiv='Content-Type' content='text/html; charset=utf-8'/>
    <link href="style/UserStyle.css" rel="stylesheet" type="text/css" />
    <title>Register</title>
</head>

<body>
    <form action="" method="post" name="LoginForm" id="LoginForm">

        <div class="FormElement">
            <input name="Username" type="text" required="required" class="TField" id="Username" placeholder="Username">
        </div>

        <div class="FormElement">
            <input name="Password" type="Password" required="required" class="TField" id="Password" placeholder="Password">
        </div>

        <div class="FormElement">
            <input name="Login" type="submit" class="button" id="Login" placeholder="Login">
        </div>
</body>

The connection.php that connects to my database and creates the variable $con

<?php
mysql_connect("localhost", "MyRealUsername", "MyRealPassword"); 
mysql_select_db("Registration"); 
$con = mysqli_connect("localhost", "MyRealUsername", "MyRealPassword", "Registration");
?>

Thank you very much for any help!

  • 写回答

3条回答 默认 最新

  • douyan2680 2015-11-07 11:05
    关注

    Please make following changes in your php code . You are currently only checking for post variable and authenticating user. After fetching values from database please check result array and then redirect to Account.php if user exists in database else redirect to Login.php 

    <?php

if(isset($_POST['Login'])){

    $UN= $_POST['Username'];
    $PW = $_POST['Password'];

    $result = $con->query("Select * from users where Username='$UN' AND Password='$PW'");

    $row = $result->fetch_array(MYSQLI_BOTH);

    if( isset($row) &&  $row['UserID'] != "" ){ // authenticated user, redirect to account page
    $_SESSION["UserID"] = $row['UserID'];

    header('Location: Account.php');

    }else{ // redirect to login page
        header('Location: Login.php');

    }
}
?>

    Also Please sanitize input values in query string to prevent sql injection as below. 

        $UN= $con->real_escape_string($_POST['Username']);
    $PW = $con->real_escape_string($_POST['Password']);

$result = $con->query("Select * from users where Username='$UN' AND Password='$PW'");
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

悬赏问题

  • ¥15 微信会员卡等级和折扣规则
  • ¥15 微信公众平台自制会员卡可以通过收款码收款码收款进行自动积分吗
  • ¥15 随身WiFi网络灯亮但是没有网络,如何解决?
  • ¥15 gdf格式的脑电数据如何处理matlab
  • ¥20 重新写的代码替换了之后运行hbuliderx就这样了
  • ¥100 监控抖音用户作品更新可以微信公众号提醒
  • ¥15 UE5 如何可以不渲染HDRIBackdrop背景
  • ¥70 2048小游戏毕设项目
  • ¥20 mysql架构,按照姓名分表
  • ¥15 MATLAB实现区间[a,b]上的Gauss-Legendre积分