this is my php code
$con=mysqli_connect("","","","");
if (mysqli_connect_errno()) { echo "Failed to connect to MySQL: " . mysqli_connect_error();
}\\check connection
$username = mysqli_real_escape_string($con, $_POST["username"]); $password=mysqli_real_escape_string($con$_POST["password"]); \\get the input values
if ($_SERVER["REQUEST_METHOD"] == "POST")\\check for the form method
{
session_start();\\start the session
if(!empty($_POST["username"]))
{
if(!empty($_POST["password"]))
{\\ if the username and password is not empty,then execute the query
$res=("SELECT * FROM personal WHERE username='".$username."' password='".$password."') or die(mysqli_error());\\get the row value accoring to the input username and password
if(mysqli_num_rows($res) == 1)\\to check the number of rows, if it is 1 then execute the loop
{
$row = mysqli_fetch_array($res,MYSQLI_ASSOC);
$user = $row['username'];
$pass = $row['password'];\\assign the row values to the variables
if ($password != $pass)
{
echo"Please Register your details";
} \\if not match
else{
header("Location:home.php");
}\\else goto home page
}
else{
echo"Enter the Valid Password";\\error message
}
}
else {
echo"Enter the Valid Username";\\error message
}
}
mysqli_free_result($res);
}
mysqli_close($con);\\close connection
and my html form is
Sign-In\\title of the pageUsername:
\\get user name
Password:
get the password
\post the details
\\close formIf you are not a exsiting user go to Register
\\ link to the next page\\close html file
解决方案
https://codereview.stackexchange.com/ would be a better place for stuff like this. It's absolutely unclear what you're actually asking, therefore I just refactored your PHP code and hope this might help.
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
$username = filter_input(INPUT_POST, "username", FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW);
$password = filter_input(INPUT_POST, "password", FILTER_UNSAFE_RAW);
if ($username && $password) {
try {
$connection = new \mysqli("localhost", "root", "password", "database");
$stmt = $connection->prepare("SELECT `id`, `password` FROM `personal` WHERE `username` = ? LIMIT 1");
$stmt->bind_param("s", $username);
$stmt->execute();
$stmt->bind_result($id, $hash);
$found = $stmt->fetch();
if ($found === true && password_verify($password, $hash)) {
session_start();
}
else {
echo "We either don't know the username or the password was wrong.";
}
$stmt->close();
$connection->close();
}
catch (\mysqli_sql_exception $e) {
echo "An error ocurred while communicating with the database, please hang in there until it's fixed.";
}
}
else {
echo "Please enter a username and a password.";
}
Use exceptions instead of checking the returned values of each function and/or calling additional methods.
Use object oriented code for better readability.
Use prepared statements to ensure that no SQL injection is possible.
Use PHP's built-in password functions.
Use PHP's built-in filter functions.
Don't tell the client what really went wrong (unknown username and/or wrong password).
扫一扫
1464
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
