あなたのPHP
<?php
session_start();
if (isset($_POST['username']) && isset($_POST['password'])) {
include_once("db.php");
$username = mysqli_real_escape_string($sqlcon, $_POST['username']);
$password = mysqli_real_escape_string($sqlcon, $_POST['password']);
// If you want to make sure username is alphanumeric, you can do
// $username = preg_replace('/[^a-zA-Z0-9]/', '', mysqli_real_escape_string($sqlcon, $_POST['username']));
// Do not use these, mysqli_real_escape_string is enough to prevent injection attacks. Furthermore, you may be compromising user security by remove special characters in passwords.
// $username = strip_tags($_POST['username']);
// $password = strip_tags($_POST['password']);
// $username = stripslashes($username);
// $password = stripslashes($password);
// $password = md5($password); This is very susceptibile to rainbow table attacks, do something like a loop
for ($i = 0; $i < 1000; $i ++) {
$password = md5($password . $username); // Looping the md5 a thousand times and salting it with the username is good practice too.U
}
$userQuery = "SELECT * FROM users WHERE username = '" . $username . "' LIMIT 1";
$user = mysqli_query($sqlcon, $userQuery);
if (mysqli_num_rows($user) > 0) { // If user exists,
$user = mysqli_fetch_assoc($user); // mysqli_fetch_arrays put values into $user[0], $user[1], etc.
$id = $user['id'];
$databasepass = $user['password'];
if ($password === $databasepass) {
$_SESSION['username'] = $username;
$_SESSION['id'] = $id;
header("Location: index.php");
} else {
echo "Password is incorrect";
}
} else {
echo "Username does not exist";
}
} else {
echo "Username or Password not filled in";
}
echo $password;
?>
<!DOCTYPE html>
<html>
<head>
<title>Login</title>
</head>
<body>
<h1>Login</h1>
<form action="login.php" method="post" enctype="multipart/form-data">
<input placeholder="Username" name="username" type="text" autofocus>
<input placeholder="Password" name="password" type="password">
<input name="login" type="submit" value="Login">
</form>
</body>
</html>
あなたをdb.php
<?php
$host = "localhost";
$user = "root";
$pass = "";
$database = "users";
$sqlcon = mysqli_connect($host, $user, $pass, $database);
if (mysqli_connect_errno()) {
die ("MySQL Database Connection Error");
}
?>
あなたが得た '$のrow'の値は何ですか? –
$ rowの値は何もありません。 – Matt
このクエリで試してみてください$ sql = "SELECT * FROM users where username = '"。$ username。 "' LIMIT 1 '; –