使用 SQL 检查用户是否存在于数据库中

Question

我正在尝试检查一个名为members 的表，以查看用户是否存在并使用它的电子邮件和密码。我能够连接到数据库，但由于某种原因，它会跳过所有这些if 语句并回显'You have been logged in!'，即使我输入了错误的电子邮件或密码？这是html和php：

<form action="/login-user" method="POST">
    Email: <input type="text" name="login_email"><br>
    Password: <input type="password" name="login_password"><br>
    <button type="submit">Login</button>
</form>

PHP：

<?php
    session_start();
    /*error_reporting(0);*/

    require 'users/functions/user-functions.php';

    require 'users/connect-database.php';

    if (empty($_POST) === false) {
        $email = mysqli_real_escape_string($connection, $_POST['login_email']);
        $password = stripslashes(mysqli_real_escape_string($connection, $_POST['login_password']));
        $encrypted_password = md5($password);
        if (empty($email)) {
            echo 'You need to enter an email<br>';
        } else if (empty($password)) {
            echo 'You need to enter a password<br>';
        } else if(user_exists($connection, $email, $encrypted_password) === false) {
            echo 'You don\'t seem to be registered?';
        } else if (user_active($connection, $email, $encrypted_password) === false) {
            echo 'You haven\'t activated your account!';
        } else {
            $login = login($connection, $email, $encrypted_password);
            if ($login === false) {
                echo 'That email/password combination is incorrect';
            } else {
                $_SESSION['user_id'] = $login;
                $_SESSION['logged_in'] = true;
                echo 'You have been logged in!';
            }
        }
    /*print_r($errors);*/
} else {
    echo 'inputs were empty<br>';
}
require 'users/disconnect-database.php';
?>

文件内容'user-functions.php'：

<?php
    function sanitize($connection, $data) {
        return mysqli_real_escape_string($connection, $data);
    }
    function logged_in() {
        return $_SESSION['logged_in'];
    }
    function user_exists($connection, $email, $password) {
        $query = mysqli_num_rows(mysqli_query($connection, "SELECT * FROM members WHERE email = '$email' AND password = '$password'"));
        return ($query > 0) ? true : false;
    }
    function user_active($connection, $email, $password) {
        $query = mysqli_query($connection, "SELECT user_id FROM members WHERE email = '$email' AND password = '$password' AND `active` = 1");
        return ($query !== false) ? true : false;
    }
    function return_user_id($connection, $email, $password) {
        return mysqli_query($connection, "SELECT user_id FROM members WHERE email = '$email' AND password = '$password'");
}
    function login($connection, $email, $password) {
        /*$user_id = mysql_result(mysqli_query($connection, "SELECT user_id FROM members WHERE email = '$email' AND password = '$password'"), 0, 'user_id');*/
        /*$password = md5($password);*/
        $query = mysqli_query($connection, "SELECT user_id FROM members WHERE email = '$email' AND password = '$password'");
        /*return (mysqli_query($connection, $query) or die (false));*/
        if ($query === false) {
            return false;
        } else {
            return $query;
        }
    /*return ($query !== false) ? true : false;*/
    }
    function log_out() {
        unset($_SESSION['logged_in']);
        session_unset();         
        session_destroy();
    }
?>

如果答案是使用mysql_result 或mysqli_result，请详细解释，因为即使阅读了手册和 W3Schools 以及其他任何地方，我仍然不明白这些功能是如何工作的。

感谢您的任何回答，顺便说一句，我have阅读了有关此内容的所有其他帖子，但没有找到任何答案。谢谢。

Answer 1

首先，我真的建议使用 sha 来加密密码，因为 md5 很快就被解密了。

对于您的登录功能，请尝试以下操作：

<?php
function login($connection, $email, $password) {
    $query = mysqli_query($connection, "SELECT `email`, `password` FROM `members` WHERE `email` = '$email' AND `password` = '$password'");
    $count = mysqli_num_rows($query); //counting the number of returns

    //if the $count = 1 or more return true else return false
    if($count >= 1) {
        return true;
    } else {
        return false;
    }
}
?>

脚本返回 true 后，您可以设置会话或执行您需要对其执行的操作。

编辑每个文件都需要session_start，所以最好的办法就是包含它。 我希望这行得通，我输入得很快，所以可能会有一些错误，但请告诉我：

<?php
function generate($password) {
    $password = hash('sha1', $password);
    return $password;
}

function login($connection, $email, $password) {
    $password = generate($password);

    $query = mysqli_query($connection, "SELECT `email`, `password` FROM `members` WHERE `email` = '$email' AND `password` = '$password'");
    $count = mysqli_num_rows($query); //counting the number of returns

    //if the $count = 1 or more return true else return false
    if($count >= 1) {
        return true;
    } else {
        return false;
    }
}

function exists($connection, $detail, $table, $row, $value) {
    $query = mysqli_query($connection, "SELECT `$detail` FROM `$table` WHERE `$row` = '$value'");
    $count = mysqli_num_rows($query);

    if($count >= 1) {
        return true;
    } else {
        return false;
    }
}

function detail($connection, $detail, $table, $row, $value) {
    $query = mysqli_query($connection, "SELECT `$detail` FROM `$table` WHERE `$row` = '$value'");
    $associate = mysqli_fetch_assoc($query);

    return $associate[$detail];
}

function errors($error) {
    echo '<ul class="error">';
    foreach($error as $fault) {
        echo '<li>'.$fault.'<li>';
    }
    echo '</ul>';
}

function isLoggedIn() {
    if(!empty($_SESSION['logged_in']) && exists($connection, 'id', 'members', 'id', $_SESSION['logged_in']) == true) {
        return true;
    } else {
        return false;
    }
}

function logout() {
    unset($_SESSION['logged_in']);
}

if($_POST) {
    $email = mysqli_real_escape_string($connect, strip_tags($_POST['email']));
    $password = mysqli_real_escape_string($connect, strip_tags($_POST['password']));

    if(!empty($email) && !empty($password)) {
        if(!filter_var($email, FILTER_VALIDATE_EMAIL)) {
            $error[] = 'Your email: '.$email.' is not valid';
        }

        if(exists($connection, 'email', 'members', 'email', $email) == false) {
            $error[] = 'You are not registered';
        }

        if(detail($connection, 'active', 'members', 'email', $email) != 1) {
            $error[] = 'Your account is not activated';
        }

        if(empty($error)) {
            $query = login($connection, $email, $password);

            if($query == true) {
                $_SESSION['logged_in'] == detail($connection, 'id', 'members', 'email', $email);
            }
        }
    } else {
        $error[] = 'There are empty fields';
    }

    if(!empty($error)) {
        echo errors($error);
    }
}
?>

<form action="" method="POST">
    Email: <input type="text" name="email"><br>
    Password: <input type="password" name="password"><br>
    <input type="submit" value="Login">
</form>