【发布时间】:2013-12-27 13:21:41
【问题描述】:
编辑: 现在我还有其他问题。它总是给我一个错误。正确的错误,但仍然不应该。我的意思是,如果我输入电子邮件,它会写给我“电子邮件或密码不正确”。如果我写名字,它会写“名字或密码不正确”。即使我写的是正确的细节。
已修复:我不知道为什么,但如果我填写了两个字段,它就会显示“成功”。我在田野里写什么并不重要。在用户数据库中,我有 id、用户名、名字、姓氏、电子邮件和密码。此登录表单应检测用户输入的内容:电子邮件、姓名或用户名。如果有多个用户具有相同的名称(第一个或最后一个),则不允许他使用该名称登录 - 只能使用用户名或密码。用户名只能包含英文字母和数字以及 _ 但不能包含空格。名字和姓氏只包含字母,不包含空格。每次更新(更改密码、用户名等)都保存在不同行的“用户”表中。当前行(具有最新信息)写入“操作”列“当前”或“注册”(如果用户尚未更改信息)。
<?php
$name = $_POST["email"];
$password = md5($_POST["password"]);
$right = false;
if(filter_var($name, FILTER_VALIDATE_EMAIL))
{//is email
$query=mysqli_query($mysqli, "SELECT * FROM user WHERE email='".$name."' AND password='".$password."' AND (action='current' OR action='register')");
if(mysqli_num_rows($query) != 1)
{
echo "Email OR password are incorrect.";
}else{
$right = true;
$row = mysqli_fetch_array($query);
$userid = $row['id'];
}
}elseif(!empty($name))
{
$array = explode(' ', $name);
//detect if needs username of regular login
if(count($array) == 1) //username
{
$query=mysqli_query($mysqli, "SELECT * FROM user WHERE username='".$array[0]."' AND password='".$password."' AND (action='current' OR action='register')");
if(mysqli_num_rows($query) == 1)
{ //yes
$right = true;
$row = mysqli_fetch_array($query);
$userid = $row['id'];
}
else
{ //no
echo '<b>Username OR password are incorrect.</b> Note that if you tried to log in with your name, you need to enter the first AND last name as you entered them in the registry.';
}
}
elseif(count($array) == 2) //regular
{
$query1=mysqli_query($mysqli, "SELECT * FROM user WHERE firstname='".$array[0]."' AND lastname='".$array[1]."' AND (action='current' OR action='register')");
$query2=mysqli_query($mysqli, "SELECT * FROM user WHERE firstname='".$array[1]."' AND lastname='".$array[0]."' AND (action='current' OR action='register')");
if (mysqli_num_rows($query1) == 1 && (mysqli_num_rows($query1) != mysqli_num_rows($query2)))
{ //no need for username
$query=mysqli_query($mysqli, "SELECT * FROM user WHERE firstname='".$array[0]."' AND lastname='".$array[1]."' AND password='".$password."' AND (action='current' OR action='register')");
if(mysqli_num_rows($query) == 1)
{
$right = true;
$row = mysqli_fetch_array($query);
$userid = $row['id'];
}
}
elseif(mysqli_num_rows($query2) == 1 && (mysqli_num_rows($query1) != mysqli_num_rows($query2)))
{
$query=mysqli_query($mysqli, "SELECT * FROM user WHERE firstname='".$array[1]."' AND lastname='".$array[0]."' AND password='".$password."' AND (action='current' OR action='register')");
if(mysqli_num_rows($query) == 1)
{
$right = true;
$row = mysqli_fetch_array($query);
$userid = $row['id'];
}
}
else
{
echo 'Unfortunately you can not log in with your name. Please enter a user name (which you received by email) OR email address in ORDER to connect';
}
}
else //error
{
echo 'Error Input Email';
}
}
else
{
echo 'Please fill all the fields.';
}
if($right){
setcookie("userid", $userid, time() + 60 * 60 * 24 * 30, "/");
setcookie("password", $password, time() + 60 * 60 * 24 * 30, "/");
echo 'Success!';
}
?>
谢谢
【问题讨论】:
-
具体错误是什么?您尝试了什么,什么没有奏效?
-
您的脚本易受 SQL 注入攻击;你应该阅读how to prevent them。
-
@MarcelBalzer 无论我在输入中写什么,如果它们不为空,我都会收到“成功”。
-
@DarkBee 是也不是。是的准备好的语句,而不是
mysql_我相信你的意思是mysqli_;-) "Prepared statements > mysql_real_escape_string imho" -
这是一个好的开始 => php.net/password 和这个在 SO => stackoverflow.com/questions/1581610/…
标签: php sql login mysqli login-script