用户名正确但密码错误它不会重定向

Question

我的 PHP 站点正在连接到 SQL Server 数据库，然后创建会话并重定向到“仪表板”：

• 如果用户名和密码错误，它会重定向 - 效果很好。
• 如果用户名存在但密码错误，则无法重新加载？

看起来很简单，但我遇到了麻烦，请帮忙。

还有让这段代码更好的建议也很好:)

<?php

session_start();

if ( ! empty( $_POST ) ) {

    if ( isset( $_POST['username'] ) && isset( $_POST['password'] ) ) {

        $username = $_POST['username']; 
        $password = $_POST['password'];

        $connectionInfo = array( "Database"=>"WebUIUsers", "UID"=>"DBUser", "PWD"=>"Password1234");
        $conn = sqlsrv_connect( "sqlserver01", $connectionInfo);

            if( $conn ) {
                // Connection established

                $sql = "SELECT * FROM tbl_webui_users WHERE username='$username'";
                $stmt = sqlsrv_query( $conn, $sql );

                if(!(sqlsrv_fetch_array( $stmt )) >=1){
                    header("Location: ./index.php");
                }

                // if username exists but password is wrong redirect to try again ?

                    while( $row = sqlsrv_fetch_array( $stmt ) ) {

                        if( $row[password] === $password ) {

                            $_SESSION['user_session'] = $username;
                            header("Location: ./dashboard.php");
                            sqlsrv_free_stmt( $stmt);
            
                        }else{
                            header("Location: ./index.php");
                        } //end if( $row[password] == $password )

                    } //end while( $row = sqlsrv_fetch_array( $stmt ) )

            }else{
                
                echo "Connection to database could not be established.";
                ( print_r( sqlsrv_errors(), true));

            } //end if( $conn )
 
    } //end if

} // end if

?>

Answer 1

这种意外行为的实际原因是您调用了两次sqlsrv_fetch_array()，所以while ($row = sqlsrv_fetch_array($stmt)) { ... } 根本不会返回任何行。

但您至少需要考虑以下几点：

• 始终在语句中使用参数以防止可能的 SQL 注入问题。正如documentation 中提到的... sqlsrv_query 函数既可以进行语句准备，也可以执行语句，并且可以用于执行参数化查询。
• 不要在数据库中以明文形式存储密码。

以下基于您的代码的基本示例是您问题的可能解决方案：

<?php
session_start();
if (!empty($_POST)) {

    if (isset($_POST['username']) && isset($_POST['password'])) {

        $username = $_POST['username']; 
        $password = $_POST['password'];
        
        $connectionInfo = array("Database"=>"WebUIUsers", "UID"=>"DBUser", "PWD"=>"Password1234");
        $conn = sqlsrv_connect("sqlserver01", $connectionInfo);
        if ($conn === false) {
            //echo "Connection to database could not be established: ".print_r(sqlsrv_errors(), true);
            header("Location: ./index.php");
            exit;
        }   

        $sql = "SELECT * FROM tbl_webui_users WHERE username = ?";
        $prms = array($username);
        $stmt = sqlsrv_query($conn, $sql, $prms);
        if ($stmt === false) {
            //echo "Error (sqlsrv_query): ".print_r(sqlsrv_errors(), true);
            header("Location: ./index.php");
            exit;
        }   
        
        // User doesn't exists
        if (!sqlsrv_has_rows($stmt)) {
            header("Location: ./index.php");
            exit;
        }   
        
        // User exists, but the password is wrong
        $row = sqlsrv_fetch_array($stmt));
        if ($row === false) {
            header("Location: ./index.php");
            exit;
        }   
        if ($row["password"] === $password) {
            $_SESSION['user_session'] = $username;
            header("Location: ./dashboard.php");
        } else {
            header("Location: ./index.php");
        }
    }

}

?>