检查用户名和密码,PHP
问题描述:
我试图创建一个PHP的用户名和密码检查,但不能让它的工作,这里是代码:检查用户名和密码,PHP
<?php
$servername = "iphere";
$user = "userhere";
$pass = "passwordhere";
$dbname = "databasehere";
try {
$username = $_GET['username'];
$password = $_GET['password'];
$conn = new PDO("mysql:host=$servername;dbname=$dbname", $user, $pass);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$stmt = $conn->prepare("SELECT username FROM users WHERE username = :name AND password = :password");
$stmt->bindParam(':name', $username);
$stmt->bindParam(':password', $password);
$stmt->execute();
$result = $stmt->setFetchMode(PDO::FETCH_ASSOC);
if($username == $result && $password == $result)
{
echo "OK";
}
else
{
echo "not OK";
}
}
catch(PDOException $e) {
echo "Error";
}
$conn = null;
?>
它不给任何错误或任何东西。它只是回声好,那就是它。顺便说一句,我用GET来做我的另一个项目。所以我稍后会改变它。
答
除非有一个错误,这一点:
$result = $stmt->setFetchMode(PDO::FETCH_ASSOC);
永远是布尔值true。
然后,您可以执行此测试:
if($username == $result && $password == $result)
非空字符串将总是等于true。
计数从数据库返回的行数。
+0
谢谢,我修好了:)我完全在这个新的。 – flyingFISH
答
然后,我会使用的代码会是这样的(没有测试,小心):
忽略的事实是:
- 你的密码是明文你使用bindParam无故
$stmt = $pdo->prepare("SELECT COUNT(*) AS user_exists FROM users WHERE username = :username AND password = :password");
$stmt->execute([':username' => $username, ':password' => $password]);
// This will return the value of first column, our query will always produce 1 row with 1 column
$exists = $stmt->fetchColumn();
// If you are using MySQL ND (native driver), then the above result will be
// accurately represented as an integer so we can use it in an if() statement like this
if($exists)
{
echo "OK!";
}
else
{
echo "Not ok!";
}
+0
谢谢,现在工作:) – flyingFISH
**危险**:“根本不哈希”是[不适合的哈希算法](http:// php达网络/手动/ EN/faq.passwords.php);你需要[更好地照顾](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet)你的用户密码。 – Quentin
也许是'print_r($ result)'的时候了? –
从来没有**永远**以明文存储密码 – litelite