код - не уверен, что происходит, пожалуйста, помогите:
$accountname = $_POST['logname'];
$password = $_POST['logpassword'];
echo '<br>';
$logsql = mysqli_query("SELECT Name FROM practice.users WHERE Name = $accountname and Password = $password;");
if (mysqli_num_rows($logsql) < 0) {
echo 'Account doesnt exist';
}
else {
echo 'Welcome ' . $accountname;
}
У вас довольно много ошибок/ошибок в коде.
Пусть начнется сверху.
$logsql = mysqli_query("SELECT Name FROM practice.users WHERE Name = $accountname and Password = $password;");
mysqli_query
требуется параметр подключения. Использование mysqli_query
в запросе с пользовательским вводом также представляет большой риск для безопасности.
Пусть это изменит, используя подготовленные заявления.
$stmt = $connect->prepare("SELECT Name FROM 'practise.users' WHERE Name = ? AND Password = ?");
if(!$stmt) {
// Something went wrong, create an error with a class to display it accordingly
$error = [
'msg' => 'The server could not process your request',
'class' => 'whatever class you use for error handling',
];
}
if(!$stmt->bind_param('ss', $accountname, $password)) {
// Something went wrong, create an error with a class to display it accordingly
$error = [
'msg' => 'The server could not process your request',
'class' => 'whatever class you use for error handling',
];
}
if(!$stmt->execute()) {
// Something went wrong, create an error with a class to display it accordingly
$error = [
'msg' => 'The server could not process your request',
'class' => 'whatever class you use for error handling',
];
} else {
// Query ran succesfully, lets get the result
$stmt->store_result();
$rows = $stmt->num_rows();
}
Судя по тому, что вы также выбираете поле пароля, я подозреваю, что вы храните пароли в текстовом виде. Это еще один риск для безопасности.
Хешируйте пароли так.
password_hash($passwordToHash, PASSWORD_DEFAULT);
И проверьте их как это (не проверяйте введенный пароль перед его проверкой).
password_verify($passwordToValidate, $passwordHash);
Теперь проверьте, существуют ли пользователи и что они вошли в систему.
Вы использовали < 0
который не будет работать, так как он означает меньше нуля.
Это должно сработать.
else {
// Query ran succesfully, lets get the result
$stmt->store_result();
$rows = $stmt->num_rows();
if($rows > 0) {
// More than 0 results, the user exists
session_start();
// Set a session variable for the username
$_SESSION['username'] = $accountname;
// Redirect the user to the secured page (optional)
header('Location: secured-page.php');
} else {
// The result is 0, the user doesn't exist
$error = [
'msg' => 'That user does not exists.',
'class' => 'whatever class you use for error handling',
];
}
}
Общий код для утверждения и проверки
$stmt = $connect->prepare("SELECT Name FROM 'practise.users' WHERE Name = ? AND Password = ?");
if(!$stmt) {
// Something went wrong, create an error with a class to display it accordingly
$error = [
'msg' => 'The server could not process your request',
'class' => 'whatever class you use for error handling',
];
}
if(!$stmt->bind_param('ss', $accountname, $password)) {
// Something went wrong, create an error with a class to display it accordingly
$error = [
'msg' => 'The server could not process your request',
'class' => 'whatever class you use for error handling',
];
}
if(!$stmt->execute()) {
// Something went wrong, create an error with a class to display it accordingly
$error = [
'msg' => 'The server could not process your request',
'class' => 'whatever class you use for error handling',
];
} else {
// Query ran succesfully, lets get the result
$stmt->store_result();
$rows = $stmt->num_rows();
if($rows > 0) {
// More than 0 results, the user exists
session_start();
// Set a session variable for the username
$_SESSION['username'] = $accountname;
// Redirect the user to the secured page (optional)
header('Location: secured-page.php');
} else {
// The result is 0, the user doesn't exist
$error = [
'msg' => 'That user does not exists.',
'class' => 'whatever class you use for error handling',
];
}
}
//wITHOUT TAKING SECURITY INTO CONSIDERATION AND BEST PRACTICESS CONSIDER BELOW
$accountname = $_POST['logname'];
$password = $_POST['logpassword'];
echo '<br>';//WHY THIS LINE BREAK
//$logsql = mysqli_query("SELECT Name FROM practice.users WHERE Name = $accountname and Password = $password;");
// ADD A CONNECTION BEFORE A THE QUERY SEPERATED BY A COMMA
// ADD SINGLE QUOTES ON '$accountname' AND '$password' VARIABLES
$logsql = mysqli_query($connection, "SELECT Name FROM practice.users WHERE Name = '$accountname' AND Password = '$password'");
if (mysqli_num_rows($logsql) < 0) {
echo 'Account doesnt exist';
}
else {
echo 'Welcome ' . $accountname;
}