所以这让我发疯!如果用户名正确,那么它会完全很好地比较密码,但如果用户名错误,则不会发生比较,并且会向我抛出此错误。我想将数据库值与用户输入的值进行比较。
<?php $nm = $_POST['nm']; $pw = $_POST['pw']; try{ $pdo = new PDO('mysql:host=localhost;dbname=gold-market_main', 'root', ''); $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); }catch(PDOException $e) { echo "Connection failed: ".$e->getMessage(); die(); } if($nm == null){ die("Feld darf nicht leer sein!"); } elseif(ctype_alpha($nm[0]) or ctype_digit($nm[0])){ $sql = "SELECT k_nutzername, k_passwort FROM kunden WHERE k_nutzername IN('$nm');"; $result = $pdo->query($sql); $row = $result->fetch(PDO::FETCH_ASSOC); if("{$row['k_nutzername']}" != $nm) { //header("Location: login_wrongUN.html"); print("nm wrong"); } elseif("{$row['k_passwort']}" != $pw) { //header("Location: login_wrongPW.html"); print("pw wrong"); } else { header("Location: konto.html"); } }else{ die("Nutzername muss mit einem buchstaben oder einer Zahl beginnen!"); } $pdo = null; ?>
P粉1847475362024-03-27 00:04:57
你可以做类似的事情。但是,它不能防止不安全的密码 a> 也不是定时攻击。
setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); }catch(PDOException $e) { echo "Connection failed: ".$e->getMessage(); die(); } if($nm == null){ die("Feld darf nicht leer sein!") } //ctype does not protect $sql = $pdo->prepare("SELECT k_nutzername, k_passwort FROM kunden WHERE k_nutzername = ?;"); $sql->bindValue(1,$nm,PDO::PARAM_STR); //bind a value to a query, called parametrized queries, most secure way against SQL injection. $sql->execute(); $row = $sql->fetch(PDO::FETCH_ASSOC); if(!$row) { // if the username not exists //header("Location: login_wrongUN.html"); print("nm wrong"); } elseif($row['k_passwort'] != $pw) { //header("Location: login_wrongPW.html"); print("pw wrong"); } else { header("Location: konto.html"); } $pdo = null; ?>