<?php
$msg = "";
session_start();
if (isset($_POST['submit']))
{
$con = new mysqli('localhost', 'root', '', 'sconnect');
$email = $con->real_escape_string($_POST['email']);
$semail=$email;
$password = $con->real_escape_string($_POST['password']);
$sql = $con->query("SELECT * FROM users WHERE email='$email' AND
password='$password';");
if ($email == "" || $password == "")
$msg = "Please check your inputs!";
else if ($sql)
{
$_SESSION['user'] = $semail;
header('Location:../home.php');
}
else
{
$msg = "Please check your inputs!";
}
}
?>
使用此代码,我可以使用密码字段中的任何输入进行登录。请解决问题。
您正在检查的变量是$ sql,如果您在其中存储任何值,它将是true。在您的情况下,您有SQL查询。所以它总会回归真实。您应该检查if语句中SELECT查询返回的num行。
$msg = "";
session_start();
if (isset($_POST['submit'])) {
$con = new mysqli('localhost', 'root', '', 'test');
$email = $con->real_escape_string($_POST['email']);
$semail = $email;
$password = $con->real_escape_string($_POST['password']);
$sql = $con->query("SELECT * FROM users WHERE email='$email' AND password='$password';");
if ($email == "" || $password == "")
$msg = "Please check your inputs!";
else if ($sql->num_rows) {
$_SESSION['user'] = $semail;
header('Location:../home.php');
} else {
$msg = "Please check your inputs!";
}
}