SQL:条件语法错误和 mysql_fetch_object 误用
SQL: Conditional syntax error and mysql_fetch_object misuse
我正在尝试使用 SQL 和 PHP 创建登录系统。我有一个包含三个字段的标准数据库:用户名、密码和授权级别。出于某种原因,当我测试代码时,登录失败,即使我使用正确的访问级别和正确的凭据也是如此。在我将访问级别检查器添加到我的 PHP 之前,该代码可以正常工作,但现在 它 returns 登录失败错误 .
//If there are input validations, redirect back to the login form
if($errflag) {
$_SESSION['ERRMSG_ARR'] = $errmsg_arr;
session_write_close();
header("location: login-test.php");
exit();
}
//Create query
$qry="SELECT * FROM members WHERE username='$username' AND password='$password'";
$result=mysql_query($qry);
$row = mysql_fetch_object($qry);
//Check whether the query was successful or not
if($result) {
if(mysql_num_rows($result) == 1 && $row->authlevel == "admin") {
//Login Successful
session_regenerate_id();
$member = mysql_fetch_assoc($result);
$_SESSION['SESS_MEMBER_ID'] = $member['username'];
$_SESSION['SESS_FIRST_NAME'] = $member['firstname'];
$_SESSION['SESS_LAST_NAME'] = $member['username'];
session_write_close();
header("location: admin_index.php");
exit();
} else {
//Login failed
header("location: login-failed.php");
}
}else {
die("Query failed");
}
?>
正如我在评论中所说,使用 PDO 或 mysqli 和准备好的语句。有人可以把这个放进去
'; Select * from members where authLevel = "admin" limit 1 --
对于 $username 和 bang 以管理员身份登录。这就是为什么
SELECT * FROM members WHERE username=''; Select * from members where authLevel = "admin" limit 1 -- AND password='ababsdf'
这就是您查询的内容,-- 是 MySql 的评论方式,因此之后的任何内容都将被忽略。本质上,我只是告诉 select 一个具有 authLevel 管理员权限的用户,并将其限制为一个结果。
更新
至于答案有2种可能,
1 authLevel 错误,
2 更有可能是您有重复的用户记录。所以行数校验失败
此外 admin 与 Admin 或 ADMIN 或 [space]admin 与 space 不同。 php 中的字符串比较区分大小写。
尽管条件不成立,但其中的一项或两项都不正确。你所要做的就是这个
echo 'NumRows: '.mysql_num_rows($result);
echo "<br>\n";
echo 'AuthLevel: '.$row->authlevel;
告诉你,只要输出它们,它就会变得相当明显。还要注释掉 header 重定向(这样你就不会被踢到其他页面)
//header("location: login-failed.php"); -- un-comment when fixed.
对于 authlevel,您可能希望像这样将其包裹在括号中
echo 'AuthLevel: ['.$row->authlevel.']';
为什么?因为如果是这样
[ admin]
然后你可以看到里面有一个space什么的。在你的情况下这样做是个不错的主意
if( strtolower( trim( $row->authlevel ) ) == 'admin' ...
PDO 或 mysqli 实际上并没有那么难你想要添加至少 sha256 的盐添加加密(或使用 password_hash() )基本上你的代码看起来像这样
$dsn = 'mysql:host=127.0.0.1;dbname=members;';
$user = 'db_user';
$password = '*******';
try {
$DB = new PDO($dsn, $user, $password);
} catch (PDOException $e) {
die('Connection failed: ' . $e->getMessage());
}
$qry="SELECT * FROM members WHERE username=:username"; ///( add field named salt, this is a random string )
//search only for username
///$DB is pdo database object
//prepare the sql, this 2 step process prevent sql injection by using a placeholder :username instead of the variable directly
$stmt = $DB->prepare( $qry );
//execute the statement with variables
$stmt->execute( array(':username' => $username ) );
//retrieve the result row as an object.
$row = $stmt->fetch( PDO::FETCH_OBJ );
//Check whether the query was successful or not
if($stmt->rowCount() == 1 ) {
if($row->authlevel == "admin") { //if it's not an admin no need to check password
if( sha256( $row->salt() . $password ) == $row->password ){
//Check password in php, db is case insensitive unless its a binary field.
//Login Successful ( obviously youll want to update the member to account for a better password )
.....
}else{
header("location: login-failed.php"); //change for bad password etc.
}
} else {
//Login failed
header("location: login-failed.php"); //change for invalid user level ( you do not have authorization to view this page ... etc. )
}
}else {
die("Query failed"); //change for username not found, or unknown username
}
http://php.net/manual/en/pdo.construct.php
http://php.net/manual/en/function.password-hash.php
出于安全原因 PHP7 mysql_* 函数已经消失,所以最好不要习惯使用它们。
我正在尝试使用 SQL 和 PHP 创建登录系统。我有一个包含三个字段的标准数据库:用户名、密码和授权级别。出于某种原因,当我测试代码时,登录失败,即使我使用正确的访问级别和正确的凭据也是如此。在我将访问级别检查器添加到我的 PHP 之前,该代码可以正常工作,但现在 它 returns 登录失败错误 .
//If there are input validations, redirect back to the login form
if($errflag) {
$_SESSION['ERRMSG_ARR'] = $errmsg_arr;
session_write_close();
header("location: login-test.php");
exit();
}
//Create query
$qry="SELECT * FROM members WHERE username='$username' AND password='$password'";
$result=mysql_query($qry);
$row = mysql_fetch_object($qry);
//Check whether the query was successful or not
if($result) {
if(mysql_num_rows($result) == 1 && $row->authlevel == "admin") {
//Login Successful
session_regenerate_id();
$member = mysql_fetch_assoc($result);
$_SESSION['SESS_MEMBER_ID'] = $member['username'];
$_SESSION['SESS_FIRST_NAME'] = $member['firstname'];
$_SESSION['SESS_LAST_NAME'] = $member['username'];
session_write_close();
header("location: admin_index.php");
exit();
} else {
//Login failed
header("location: login-failed.php");
}
}else {
die("Query failed");
}
?>
正如我在评论中所说,使用 PDO 或 mysqli 和准备好的语句。有人可以把这个放进去
'; Select * from members where authLevel = "admin" limit 1 --
对于 $username 和 bang 以管理员身份登录。这就是为什么
SELECT * FROM members WHERE username=''; Select * from members where authLevel = "admin" limit 1 -- AND password='ababsdf'
这就是您查询的内容,-- 是 MySql 的评论方式,因此之后的任何内容都将被忽略。本质上,我只是告诉 select 一个具有 authLevel 管理员权限的用户,并将其限制为一个结果。
更新 至于答案有2种可能,
1 authLevel 错误,
2 更有可能是您有重复的用户记录。所以行数校验失败
此外 admin 与 Admin 或 ADMIN 或 [space]admin 与 space 不同。 php 中的字符串比较区分大小写。
尽管条件不成立,但其中的一项或两项都不正确。你所要做的就是这个
echo 'NumRows: '.mysql_num_rows($result);
echo "<br>\n";
echo 'AuthLevel: '.$row->authlevel;
告诉你,只要输出它们,它就会变得相当明显。还要注释掉 header 重定向(这样你就不会被踢到其他页面)
//header("location: login-failed.php"); -- un-comment when fixed.
对于 authlevel,您可能希望像这样将其包裹在括号中
echo 'AuthLevel: ['.$row->authlevel.']';
为什么?因为如果是这样
[ admin]
然后你可以看到里面有一个space什么的。在你的情况下这样做是个不错的主意
if( strtolower( trim( $row->authlevel ) ) == 'admin' ...
PDO 或 mysqli 实际上并没有那么难你想要添加至少 sha256 的盐添加加密(或使用 password_hash() )基本上你的代码看起来像这样
$dsn = 'mysql:host=127.0.0.1;dbname=members;';
$user = 'db_user';
$password = '*******';
try {
$DB = new PDO($dsn, $user, $password);
} catch (PDOException $e) {
die('Connection failed: ' . $e->getMessage());
}
$qry="SELECT * FROM members WHERE username=:username"; ///( add field named salt, this is a random string )
//search only for username
///$DB is pdo database object
//prepare the sql, this 2 step process prevent sql injection by using a placeholder :username instead of the variable directly
$stmt = $DB->prepare( $qry );
//execute the statement with variables
$stmt->execute( array(':username' => $username ) );
//retrieve the result row as an object.
$row = $stmt->fetch( PDO::FETCH_OBJ );
//Check whether the query was successful or not
if($stmt->rowCount() == 1 ) {
if($row->authlevel == "admin") { //if it's not an admin no need to check password
if( sha256( $row->salt() . $password ) == $row->password ){
//Check password in php, db is case insensitive unless its a binary field.
//Login Successful ( obviously youll want to update the member to account for a better password )
.....
}else{
header("location: login-failed.php"); //change for bad password etc.
}
} else {
//Login failed
header("location: login-failed.php"); //change for invalid user level ( you do not have authorization to view this page ... etc. )
}
}else {
die("Query failed"); //change for username not found, or unknown username
}
http://php.net/manual/en/pdo.construct.php
http://php.net/manual/en/function.password-hash.php
出于安全原因 PHP7 mysql_* 函数已经消失,所以最好不要习惯使用它们。