php 通过登录页面连接到数据库
php connection to database via login page
我对 php 很陌生,所以请原谅我的新代码,虽然我需要使用 php,但我更习惯 ASP.net,目前我有php 连接到数据库的页面如果成功将值存储到 cookie 中,但由于不正确的字符串会抛出这些错误消息
Warning: Illegal string offset 'Member_Username' in C:\xampp\htdocs\awm\includes\login.php on line 10
Warning: Illegal string offset 'Member_Password' in C:\xampp\htdocs\awm\includes\login.php on line 10
Notice: Trying to get property of non-object in C:\xampp\htdocs\awm\includes\login.php on line 13
这是我的代码:
<?php
try
{
$Username = $_POST['Username'];
$Password = $_POST['Password'];
$con = mysqli_connect('localhost','root','Password','Letting');
$query = "SELECT Member_Id, Member_Firstname, Member_Surname FROM Members WHERE Member_Username = '" . $Username['Member_Username'] . "' AND Password = '" . $Password['Member_Password']. "'";
$result = $con->query($query);
if($result->num_rows)
{
$row = $result->fetch_assoc();
$_SESSION['MemberId']=$row['Member_Id'];
$_SESSION['Firstname']=$row['Member_Firstname'];
$_SESSION['Surname']=$row['Member_Surname'];
if(isset($_POST['RememberMe']))
{
setcookie('login',$row['Member_Id'],time() +60*60*60*24*7);
}
else
{
$msg = 'Login failed';
}
}
}
catch(Exception $e)
{
echo $e->errorMessage();
}
?>
假设这些变量是字符串:
$Username = $_POST['Username'];
$Password = $_POST['Password'];
Calling/treating 它们作为使用索引的数组肯定会引发非法字符串偏移错误。这是哪一行:
$query = "SELECT Member_Id, Member_Firstname, Member_Surname FROM Members WHERE Member_Username = '" . $Username['Member_Username'] . "' AND Password = '" . $Password['Member_Password']. "'";
并且由于 MySQLi 已经支持准备好的语句,为什么不使用它们呢,因为就目前而言,您很容易受到 SQL 注入的攻击。我不会添加直接连接 $Username 和 $Password 的解决方案,但我会给出关于准备好的语句的粗略示例:
$query = 'SELECT Member_Id, Member_Firstname, Member_Surname
FROM Members
WHERE Member_Username = ?
AND Password = ?';
$select = $con->prepare($query);
$select->bind_param('ss', $Username, $Password);
$select->execute();
if($select->num_rows > 0) {
// rest of codes
}
旁注:您似乎在保存普通的裸密码,如果您可以使用它(PHP 5.5 或更高版本),我建议您为此使用 password_hash + password_verify to handle your login module for hashing those passwords. If you have PHP 5.4 or lower and can't use the built-in, there's already a compatibility pack library。
试试这个
$query = "SELECT Member_Id, Member_Firstname, Member_Surname
FROM Members WHERE Member_Username = '" . $Username .
"' AND Password = '" . $Password. "'";
我对 php 很陌生,所以请原谅我的新代码,虽然我需要使用 php,但我更习惯 ASP.net,目前我有php 连接到数据库的页面如果成功将值存储到 cookie 中,但由于不正确的字符串会抛出这些错误消息
Warning: Illegal string offset 'Member_Username' in C:\xampp\htdocs\awm\includes\login.php on line 10
Warning: Illegal string offset 'Member_Password' in C:\xampp\htdocs\awm\includes\login.php on line 10
Notice: Trying to get property of non-object in C:\xampp\htdocs\awm\includes\login.php on line 13
这是我的代码:
<?php
try
{
$Username = $_POST['Username'];
$Password = $_POST['Password'];
$con = mysqli_connect('localhost','root','Password','Letting');
$query = "SELECT Member_Id, Member_Firstname, Member_Surname FROM Members WHERE Member_Username = '" . $Username['Member_Username'] . "' AND Password = '" . $Password['Member_Password']. "'";
$result = $con->query($query);
if($result->num_rows)
{
$row = $result->fetch_assoc();
$_SESSION['MemberId']=$row['Member_Id'];
$_SESSION['Firstname']=$row['Member_Firstname'];
$_SESSION['Surname']=$row['Member_Surname'];
if(isset($_POST['RememberMe']))
{
setcookie('login',$row['Member_Id'],time() +60*60*60*24*7);
}
else
{
$msg = 'Login failed';
}
}
}
catch(Exception $e)
{
echo $e->errorMessage();
}
?>
假设这些变量是字符串:
$Username = $_POST['Username'];
$Password = $_POST['Password'];
Calling/treating 它们作为使用索引的数组肯定会引发非法字符串偏移错误。这是哪一行:
$query = "SELECT Member_Id, Member_Firstname, Member_Surname FROM Members WHERE Member_Username = '" . $Username['Member_Username'] . "' AND Password = '" . $Password['Member_Password']. "'";
并且由于 MySQLi 已经支持准备好的语句,为什么不使用它们呢,因为就目前而言,您很容易受到 SQL 注入的攻击。我不会添加直接连接 $Username 和 $Password 的解决方案,但我会给出关于准备好的语句的粗略示例:
$query = 'SELECT Member_Id, Member_Firstname, Member_Surname
FROM Members
WHERE Member_Username = ?
AND Password = ?';
$select = $con->prepare($query);
$select->bind_param('ss', $Username, $Password);
$select->execute();
if($select->num_rows > 0) {
// rest of codes
}
旁注:您似乎在保存普通的裸密码,如果您可以使用它(PHP 5.5 或更高版本),我建议您为此使用 password_hash + password_verify to handle your login module for hashing those passwords. If you have PHP 5.4 or lower and can't use the built-in, there's already a compatibility pack library。
试试这个
$query = "SELECT Member_Id, Member_Firstname, Member_Surname
FROM Members WHERE Member_Username = '" . $Username .
"' AND Password = '" . $Password. "'";