我不能让我的login表单连接与mySQL数据库正常交互

我想要发生的是用户使用用户名和密码login,如果这些数据与数据库中的数据匹配。 当我尝试我没有得到任何错误,但它不起作用。 我在Dreamweaver中使用HTML和PHP,并使用phpMyAdmin的WAM。 我将包括表单文件和随附的php文档:

loginpage.php

<?php include('login.php'); // Includes Login Script if(isset($_SESSION['login_user'])){ header("location: index.php"); } ?> <table width="15px" border="0"> <form form action='login.php' method='POST'> <tr> <td>Username</td> <td><input type="text" name="username" /></td> </tr> <tr> <td>Password</td> <td><input type="password" name="password" /></td> </tr> <tr> <td><input type="submit" name="submit" value="submit"/></td> </tr> </form> 

的login.php

  <html> <head> <title>Login</title> </head> <body> <?php session_start(); // Starting Session $error=''; // Variable To Store Error Message if (isset($_POST['submit'])) { if (empty($_POST['username']) || empty($_POST['password'])) { $error = "Username or Password is invalid"; } else { // Define $username and $password $username=$_POST['username']; $password=$_POST['password']; // Establishing Connection with Server by passing server_name, user_id and password as a parameter $hostname= "localhost"; $database = "boost"; $username = "root"; $password = ""; $localhost = mysqli_connect($hostname, $username, $password, $database); if(mysqli_connect_errno()) { die("Connection Failed".mysqli_error()); } // SQL query to fetch information of registerd users and finds user match. $sql = "SELECT * FROM `users`"; $query = mysqli_query($localhost,$sql); if(!$query) { die("Query Failed".mysqli_error($localhost)); } $rows = mysqli_num_rows($query); if ($rows == 1) { $_SESSION['login_user']=$username; // Initializing Session echo "You are now logged on!"; } else { $error = "Username or Password is invalid"; } mysqli_close($localhost); // Closing Connection } } ?> </body> </html> 

这个答案是哈希, password_hash()和password_verify() 。 对于mysqli和pdo。 底部的链接有更多的链接和关于盐等的一些语言。

select和插入不直接使用用户提供的数据是至关重要的。 而是绑定参数并调用预处理语句以避免sql注入攻击 。 永远不要将密码保存在数据库中的明文(明文)中。 相反,他们应该通过单向散列发送。

另请注意。 这显示注册哈希和loginvalidation。 这是不是完整的function,我试图ock编码十十块钱…这样,它显示重新注册的电子邮件地址(login)已经存在,不更新,介意你。 在这种情况下,由于在db中设置了唯一键,插入操作将会失败。 我把这个留给你,读者,做查找,并说“电子邮件已经注册”。

架构

 CREATE TABLE `user_accounts2` ( `id` int(11) NOT NULL AUTO_INCREMENT, `email` varchar(100) NOT NULL, `password` varchar(255) NOT NULL, PRIMARY KEY (`id`), unique key(email) -- that better be the case ) ENGINE=InnoDB; 

在运行register.php并保存用户之后,数据可能如下所示:

 select * from user_accounts2; +----+-----------+--------------------------------------------------------------+ | id | email | password | +----+-----------+--------------------------------------------------------------+ | 1 | d@d.com | $2y$10$U6.WR.tiOIYNGDWddfT7kevJU8uiz8KAkdxXpda9e1xuplhC/eTJS | +----+-----------+--------------------------------------------------------------+ 

首先mysqli部分

register.php

 <?php mysqli_report(MYSQLI_REPORT_ALL); error_reporting(E_ALL); // report all PHP errors ini_set("display_errors", 1); // display them session_start(); if(isset($_SESSION['userid'])!="") { // you are already logged in as session has been set header("Location: safe.php"); // note that this re-direct will at the top of that page // ... and there to verify the session state so no tricks can be performed // no tricks and gimmicks } if(isset($_POST['register'])) { $email = $_POST['email']; $ctPassword = $_POST['password']; // cleartext password from user $hp=password_hash($ctPassword,PASSWORD_DEFAULT); // hashed password using cleartext one // pretend the following is locked in a vault and loaded but hard coded here $host="yourhostname"; $dbname="dbname"; $user="dbuser"; $pwd="password"; $port=3306; // comes along for the ride so I don't need to look up param order below // end pretend try { $mysqli= new mysqli($host, $user, $pwd, $dbname,$port); if ($mysqli->connect_error) { die('Connect Error (' . $mysqli->connect_errno . ') ' . $mysqli->connect_error); } //echo "I am connected and feel happy.<br/>"; $query = "INSERT INTO user_accounts2(email,password) VALUES (?,?)"; $stmt = $mysqli->prepare($query); // note the 2 s's below, s is for string $stmt->bind_param("ss", $email,$hp); // never ever use non-sanitized user supplied data. Bind it $stmt->execute(); // password is saved as hashed, will be verified on login page with password_verify() $iLastInsertId=$mysqli->insert_id; // do something special with this (or not) // redirect to some login page (for now you just sit here) $stmt->close(); $mysqli->close(); } catch (mysqli_sql_exception $e) { throw $e; } } ?> <html> <head> <title>Register new user</title> </head> <body> <div id="reg-form"> <form method="post"> <table> <tr> <td><input type="email" name="email" placeholder="Email" required /></td> </tr> <tr> <td><input type="password" name="password" placeholder="Password" required /></td> </tr> <tr> <td><button type="submit" name="register">Register</button></td> </tr> <tr> <td><a href="index.php">Normal Login In Here</a></td> </tr> </table> </form> </div> </body> </html> 

的login.php

 <?php mysqli_report(MYSQLI_REPORT_ALL); error_reporting(E_ALL); // report all PHP errors ini_set("display_errors", 1); // display them session_start(); if(isset($_SESSION['userid'])!="") { // you are already logged in as session has been set header("Location: safe.php"); // note that this re-direct will at the top of that page // ... and there to verify the session state so no tricks can be performed // no tricks and gimmicks } if(isset($_POST['login'])) { $email = $_POST['email']; $ctPassword = $_POST['password']; // cleartext password from user // pretend the following is locked in a vault and loaded but hard coded here $host="yourhostname"; $dbname="dbname"; $user="dbuser"; $pwd="password"; $port=3306; // comes along for the ride so I don't need to look up param order below // end pretend try { $mysqli= new mysqli($host, $user, $pwd, $dbname,$port); if ($mysqli->connect_error) { die('Connect Error (' . $mysqli->connect_errno . ') ' . $mysqli->connect_error); } //echo "I am connected and feel happy.<br/>"; $query = "select id,email,password from user_accounts2 where email=?"; $stmt = $mysqli->prepare($query); // note the "s" below, s is for string $stmt->bind_param("s", $email); // never ever use non-sanitized user supplied data. Bind it $stmt->execute(); $result = $stmt->get_result(); if ($row = $result->fetch_array(MYSQLI_ASSOC)) { $dbHashedPassword=$row['password']; if (password_verify($ctPassword,$dbHashedPassword)) { echo "right, userid="; $_SESSION['userid']=$row['id']; echo $_SESSION['userid']; // redirect to safe.php (note safeguards verbiage at top of this file about it) } else { echo "wrong"; // could be overkill here, but in logout.php // clear the $_SESSION['userid'] } } else { echo 'no such record'; } // remember, there is no iterating through rows, since there is 1 or 0 (email has a unique key) // also, hashes are one-way functions in the db. Once you hash and do the insert // there is pretty much no coming back to cleartext from the db with it. you just VERIFY it $stmt->close(); $mysqli->close(); } catch (mysqli_sql_exception $e) { throw $e; } } ?> <html> <head> <title>Login</title> </head> <body> <div id="reg-form"> <form method="post"> <table> <tr> <td><input type="email" name="email" placeholder="Email" required /></td> </tr> <tr> <td><input type="password" name="password" placeholder="Password" required /></td> </tr> <tr> <td><button type="submit" name="login">Login</button></td> </tr> </table> </form> </div> </body> </html> 

下面的pdo部分

当我有时间,可能明天,但现在我指出你的这个答案 。