•  01-09-2022
  •  | 
  •  

I've been modifying my code but I still can't log in... I have a MySQL database with a database called "users" with a table called "Users" and the following rows "UserNameID", "userName" and "password". I have created just an entry in order to test that:

+------------+----------+-----------+
| UserNameID | userName | password  |
+------------+----------+-----------+
|          1 | root     | pass      |
+------------+----------+-----------+

Here my code:

<!DOCTYPE html>

<?php session_start(); ?>

<html>
    <head>
        <title>File1</title>
    </head>
    <body>
    <?php

    $DB_connection = mysqli_connect("localhost","user1","user1","users") or die("ERROR. Failed to connect to MySQL." . mysqli_error($DB_connection));

    function SignIn() {
    $usr = $_POST['user'];
    $pw = $_POST['pwd'];
    if(!empty($usr)) {
        $query = mysql_query("SELECT * FROM Users where userName = '$usr' AND password = '$pw'");
        $result = mysqli_query($DB_connection,$query);
        if($result) {
            while($row = mysqli_fetch_array($result)) {
                echo "SUCCESSFULLY LOGIN TO USER PROFILE PAGE..."; }
        } else {
            echo "SORRY... YOU ENTERD WRONG ID AND PASSWORD... PLEASE RETRY..."; } }
    }

    SignIn();
    mysqli_close($DB_connection);
    ?>
    </body>
</html>

When I introduce a wrong password or username, it gives me "SORRY... YOU ENTERD WRONG ID AND PASSWORD... PLEASE RETRY...". However, it throws me the same when I put the correct password and username. What is wrong in my code?

Thanks a lot!

有帮助吗?

解决方案

There numerous issues here. There are scoping issues, you are using the wrong methods, it's unsafe.

First off, these 2 lines:

$query = mysql_query("SELECT * FROM Users where userName = '$usr' AND password = '$pw'");
$result = mysqli_query($DB_connection,$query);

That's not how you query a database. You only need to call either mysql_query or mysqli_query depending on what API you are using. You are using MySQLi in this case, so do this:

$query = "SELECT * FROM Users where userName = '$usr' AND password = '$pw'";
$result = mysqli_query($DB_connection,$query);

Second, your SignIn function can't access the $DB_connection variable, it's out of scope. You need to pass it in:

function SignIn($DB_connection){
}

SignIn($DB_connection);

Third, this code is very unsafe! Never use $_POST directly in an SQL query like that. You should never be concatenating variables into an SQL string, you should use prepared statements.

// Don't use "SELECT *", use the fields you want
$query = mysqli_prepare($DB_connection, 'SELECT user_id FROM Users where userName = ? AND password = ?');

// This sends the values separately, so SQL injection is a thing of the past
mysqli_stmt_bind_param($query, 'ss', $usr, $pw);

// Run the query
mysqli_stmt_execute($query);

// Prepared statements require to define exactly the fields you want
mysqli_stmt_bind_result($query, $user_id);

// Get the data
while(mysqli_stmt_fetch($query)){    
    echo $user_id;
}

mysqli_stmt_close($query);

Lastly, storing plaintext passwords is bad practice. Use a hashing library. PHP 5.5+ has one built-in (http://php.net/password). There's also a version for lesser PHP versions (https://github.com/ircmaxell/password_compat).

P.S. As pointed out in the comments (here's a link), your session_start() is in the wrong spot. That sends a header, so it requires that there be nothing echoed out before it.

<?php session_start(); ?>
<!DOCTYPE html>
<html>

Make sure that there is no whitespace (or anything) before the session_start().

其他提示

Your problem is here:

$query = mysql_query("SELECT * FROM Users where userName = '$usr' AND password = '$pw'");

This should instead be

$query = "SELECT * FROM Users where userName = '$usr' AND password = '$pw'";

You're then passing the query string rather than a resource to mysqli_query.

(Also, refer to Shankar Damodaran's answer regarding the scope issue: pass $DB_connection to the SignIn function).

As a side note, you shouldn't use posted data directly into the query. You're at risk of SQL injection. Look into sanitizing the data or, preferably, prepared statements.

First of all, you are running into scope issues here.

In this line...

 $result = mysqli_query($DB_connection,$query);

The variable $DB_connection is not accessible inside your SignIn() and thus your query is getting failed. Also you are mixing mysql_* (deprecated) functions with mysqli_* functions.

This simple and small code snippet for the login might help you..

    $con = mysqli_connect("localhost","user1","user1","users") or die("ERROR. Failed to       connect to MySQL." . mysqli_error($con));

    $username = $_POST['username'];
    $password = $_POST['userpassword'];

    $result = mysqli_query($con,"SELECT * FROM users WHERE user_name = '$username' and user_password='$password'");

    $count=mysqli_num_rows($result); // get total number of rows fetched. needs only 1 row for successful login.

if($count==1){
     //Login successful
    }
else{       
    //Login unsuccessful

}

It will fetch a row if the entered username and password are matched.It will fetch only one row as the username and password will be unique. If the count of rows fetched is '1' you can have successful login.

许可以下: CC-BY-SA归因
不隶属于 StackOverflow
scroll top