0

なぜphpがif文を無視してチェックを行わないのかわかりませんが、

    <?php
   require 'default.php';
   if(isset($_POST['submit'])){
      $username = $_POST['username'];
      $password = $_POST['password'];
      $username = stripslashes($username);
      $password = stripslashes($password);
      $username = mysql_real_escape_string($username);
      $password = mysql_real_escape_string($password);
      if (mysql_num_rows(mysql_query("SELECT `username` FROM `users` WHERE `username`='$username'"))==1
         && mysql_num_rows(mysql_query("SELECT `password` FROM `users` WHERE `password`='$password'"))==1){
          echo 'you Have logged in successfully';
         }else{
             echo 'Incorrect username or password had been entered!';
            }
   }

?>
4

2 に答える 2

3

1人のユーザーが指定されたユーザー名を持ち、別のユーザーが指定されたパスワードを持っている場合はどうなりますか?ログインしますか?

次のようにコードを変更してください。

if (mysql_num_rows(mysql_query("SELECT `username` FROM `users` WHERE `username`='$username' AND `password`='$password'"))==1)
于 2012-11-01T10:29:28.463 に答える
-1

mysql_num_rows() は 1 より大きい値を返す場合があります。

<?php
require 'default.php';
if(isset($_POST['submit'])) {
  $username = $_POST['username'];
  $password = $_POST['password'];
  $username = stripslashes($username);
  $password = stripslashes($password);
  $username = mysql_real_escape_string($username);
  $password = mysql_real_escape_string($password);
  if (
    mysql_num_rows(mysql_query("SELECT `username` FROM `users` WHERE `username`='$username' LIMIT 0,1"))==1
    &&
    mysql_num_rows(mysql_query("SELECT `password` FROM `users` WHERE `password`='$password' LIMIT 0,1"))==1
  ) {
    echo 'you Have logged in successfully';
  }
  else {
    echo 'Incorrect username or password had been entered!';
  }
}

?>

または、代わりに > 0 を使用します。

<?php
require 'default.php';
if(isset($_POST['submit'])) {
  $username = $_POST['username'];
  $password = $_POST['password'];
  $username = stripslashes($username);
  $password = stripslashes($password);
  $username = mysql_real_escape_string($username);
  $password = mysql_real_escape_string($password);
  if (
  mysql_num_rows(mysql_query("SELECT `username` FROM `users` WHERE `username`='$username'")) > 0
  &&
  mysql_num_rows(mysql_query("SELECT `password` FROM `users` WHERE `password`='$password'")) > 0
  ) {
    echo 'you Have logged in successfully';
  }
  else {
    echo 'Incorrect username or password had been entered!';
  }
}

?>

または、このように簡単にします...

<?php
require 'default.php';
if(isset($_POST['submit'])) {
  $username = $_POST['username'];
  $password = $_POST['password'];
  $username = stripslashes($username);
  $password = stripslashes($password);
  $username = mysql_real_escape_string($username);
  $password = mysql_real_escape_string($password);
  if (intval(mysql_result(mysql_query(sprintf("SELECT COUNT(*) AS found FROM `users` WHERE `username`='%s' AND `password`='%s'",$username,$password)),0)) > 0 ) {
    echo 'you Have logged in successfully';
  }
  else {
    echo 'Incorrect username or password had been entered!';
  }
}
?>
于 2012-11-01T10:35:20.200 に答える