douyi0219 2016-01-31 17:55
浏览 24
已采纳

登录表单始终显示“错误的凭据”

<?php include 'header.php'; 
error_reporting(E_ERROR | E_WARNING | E_PARSE | E_NOTICE);
$con = mysql_connect("localhost","root","");
$db_selected = mysql_select_db("layout",$con);
$name = $_POST['name'];
$password = $_POST['password'];
if($_POST["submit"] == "LOGIN" )
{
    $sql = "SELECT username,password from secure";
    $result = mysql_query($sql,$con);
}
while($row = mysql_fetch_array($result,MYSQL_BOTH))
{
if($row['username'] == $name and $row['password'] == $password)
   {
     echo "welcome " .$name;
   }
     else
   {
    echo "Wrong Credentials";
   }
}
?>

This code is for a sign in form.

It's showing "Wrong Credentials" followed by "Welcome George", even if the username and password matches.

If the username and password doesn't match it shows as "Wrong Credentials" followed by another "Wrong Credentials".

  • 写回答

1条回答 默认 最新

  • dph87312 2016-01-31 18:05
    关注

    Your SQL query/logic is completely wrong.

    What you should do is check if that user and password combination exits in database using WHERE clause. But actually you are doing is fetching each row and checking for equality. In such situation you can also get n numbers of wrong credentials.

    $query = mysql_query("SELECT * FROM table WHERE userName = '$_POST[user]' AND pass = '$_POST[pass]'") or die(mysql_error()); 
    
    $row = mysql_fetch_array($query) or die(mysql_error()); 
    
    if(!empty($row['userName']) AND !empty($row['pass'])) { 
          echo "SUCCESSFULLY LOGIN TO USER PROFILE PAGE..."; } 
    else { 
          echo "SORRY... YOU ENTERD WRONG ID AND PASSWORD... PLEASE RETRY..."; 
    }
    

    Here again a better check would be to check if number of rows==1, which is best practice and convention you should follow.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?