我在这做错了什么:
<?php
if (isset($_POST['submitted'])) {
$errors = array();
require_once ('mysql_connect.php');
session_start();
$username = $_POST["username"]; // This is the inputted username from the form in Login.html
$password = $_POST["password"]; // This is the inputted password from the form in Login.html
if (empty($errors)) {
$query="SELECT username FROM users WHERE username='$username' AND password='SHA($password)'";
$result = mysql_query($query);
// Mysql_num_row is counting table row
if (mysql_num_rows($result) == 1) {
$_SESSION["username"] = $username; // Creates a cookie saving the username
$_SESSION["loggedIn"] = true; // Creates a cookie saying the user is logged in
// Show thank you message
echo '<h3 style="color:green;">Thank You!</h3>
<span style="color:green;">You have been logged in.</span>';
} else {
echo '<font color="red">You could not be logged in, please make sure your username and password is correct.</font>';
foreach ($errors as $msg) {
echo " - <font color=\"red\">$msg</font><br />\n";
}
}
} else {
echo '<font color="red"><h3>Error!</h3>
The following error(s) occured:<br /></font>';
foreach ($errors as $msg) {
echo " - <font color=\"red\">$msg</font><br />\n";
}
}
}
?>
我得到一个:
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /login.php on line 19
我的密码是否正确?
解决方法:
问题是您的MySQL查询导致错误,这意味着您的$result实际上不包含结果资源.
您需要在查询中删除来自SHA($password)的”,而是将它们放在密码值周围,如下所示:
$query="SELECT username FROM users WHERE username='$username' AND password=SHA('$password')";
Also is the way I SHA the password correct?
这取决于密码在插入数据库时如何进行哈希处理. MySQL的SHA()与SHA-1()相同:
Calculates an SHA-1 160-bit checksum for the string, as described in RFC 3174
这也和PHP的sha1()相同;所以,例如,如果数据库中的密码是使用PHP的sha1()创建的SHA-1哈希,那么应该没问题.
附注
>您应该使用PHP的crypt()或hash()来获取散列密码,rather than SHA-1.例如,用法,refer to the PHP documentation.
>在数据库查询中使用任何数据之前,您应该清理/转义所有用户提供的数据.这是为了停止SQL injection attacks.更好的是,使用预准备语句和参数化查询.有关更多信息,请参阅this answer.