PHP PDO,请求用户名

问题描述 投票:-4回答:1

我有php dpo请求:

<?php
    include '../reg/db.php';
    $stmt = $db->query("SELECT * FROM users");
    while ( $row = $stmt->fetch() ) {
    $password_hashed = $row['password'];
    $username = $row['name'];
}

然后,当我需要回显刚刚登录的用户名,但它显示错误的名称! (e.x。我是亚历克斯,他写的我是约翰(约翰已经在DB,不明白为什么选择其他名字)

if ( password_verify( $_POST['password'], $password_hashed )  ) { ?>
   <div class="enterReg">
     <div class="frameworkForUser">
     <div class="usernameMargin">
     <? echo $username; ?>
   </div>
<? } ?>

我怎么能得到刚刚登录的用户的名字?上网了一下但没有找到任何关于它的信息.-。

php pdo
1个回答
0
投票

请使用其post变量引用要选择SQL查询的用户属性。

就像是:

$username =$_POST['username'];
$password = password=$_POST['password'];

 $stmt = $db->query("SELECT * FROM users where username='$username' and password= '$password'");

虽然这可能会解决您的问题,但请不要在生产中使用此代码,因为担心sql注入,html脚本攻击等。

您可以更好地使用Mysqli Prepared语句或更好地使用PDO。

要清除对html元素的攻击,你可以使用strip_tags()函数

$username =strip_tags($_POST['username']);
$password = strip_tags(password=$_POST['password']);

更新的答案

选项1使用会话

<?php


    include '../reg/db.php';
$username = strip_tags($_POST['username']);
$password = strip_tags($_POST['password']);


if ($username == ''){
echo "username is empty";
exit();
}


if ($password == ''){
echo "Password is empty";
exit();
}



$stmt = $db->prepare('SELECT * FROM users where username = :username and password = :password');

        $result->execute(array(
            ':username' => $username, ':password' => $password));

$count = $stmt->rowCount();
$row = $result->fetch();

if( $count == 1 ) {
echo "login sucessful";
// Redirect me to a Dasboard.php to display the login user
echo "<script>window.location='dashboard.php'</script>";


//Initialize a session
session_start()

//Prevent session Fixation Attack using session generated Id;
session_regenerate_id();

// pass users info in a session if things where ok.
// Prevent xss Attack using Htmlspecialchar or htmlentities() functions

$_SESSION['name'] = htmlspecialchars($row['name']);
$_SESSION['username'] = htmlspecialchars($row['username']);

// Do not pass users password in a session
//$_SESSION['password']=htmlspecialchars($row['password']);

}
else {

echo "<font color=red>Either Username or Password is Wrong</font>";
}


?>

在dashboard.php上,您现在可以根据您的实现获得以下代码.....

// initialize sessions

session_start();

// the the authenticated users parameters

Name: <?php echo $_SESSION['name']; ?><br>
userName: <?php echo $_SESSION['username']; ?><br>

选项2无会话使用

<?php


    include '../reg/db.php';
$username = strip_tags($_POST['username']);
$password = strip_tags($_POST['password']);


if ($username == ''){
echo "username is empty";
exit();
}


if ($password == ''){
echo "Password is empty";
exit();
}



$stmt = $db->prepare('SELECT * FROM users where username = :username and password = :password');

        $result->execute(array(
            ':username' => $username, ':password' => $password));

$count = $stmt->rowCount();
$row = $result->fetch();

if( $count == 1 ) {
echo "login sucessful";
// Redirect me to a Dasboard.php to display the login user
//echo "<script>window.location='dashboard.php'</script>";


$name = htmlspecialchars($row['name']);
$username = htmlspecialchars($row['username']);

echo "userame: $username </br>";
echo "Name: $name </br>";


}
else {

echo "<font color=red>Either Username or Password is Wrong</font>";
}


?>

如果您有任何问题,请告诉我。请记住代码中的密码没有经过哈希处理。它假定明文密码在您的数据库中..

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.