0
我一直在使用这个登录脚本很长一段时间,它的相当稳固,但它现在破碎,让我疯了。PHP登录脚本只会登录特定用户?
基本上脚本只接受第一个MySQL行用户登录,登录系统将工作,但只是为第一个SQL行,它似乎忽略所有的行?
global_database.php
<?php
$dbhost = 'localhost';
$dbuser = 'dealerpa_guest';
$dbpass = 'password_here';
function dbConnect($db='') {
global $dbhost, $dbuser, $dbpass;
$dbcnx = @mysql_connect($dbhost, $dbuser, $dbpass)
or die('We are currently applying some major patches and fixes to our systems. Please try again in 10 Minutes.');
if ($db!='' and [email protected]_select_db($db))
die('We are currently applying some major patches and fixes to our systems. Please try again in 10 Minutes.');
return $dbcnx;
}
?>
global_restriction.php
<?php
session_start();
include_once 'global_database.php';
include_once 'global_common.php';
$dealerUsername = isset($_POST['dealerUsername']) ? $_POST['dealerUsername'] : $_SESSION['dealerUsername'];
$pwd = isset($_POST['pwd']) ? $_POST['pwd'] : $_SESSION['pwd'];
if(!isset($dealerUsername)) {
?>
<html>
<body>
<form id="dealerLogin" name="dealerLogin" method="post" action="">
<input name="dealerUsername" type="text" id="dealerUsername" size="15" class="validate[required] text-input" />
<input name="pwd" type="password" id="pwd" size="15" class="validate[required] text-input" />
<input name="submit" id="submit" type="submit" value="Login" class="save-button" />
</form>
<?php
exit;
}
$_SESSION['dealerUsername'] = $dealerUsername;
$_SESSION['pwd'] = $pwd;
dbConnect("dealerpa_account");
$sql = "SELECT * FROM dealerAccount WHERE dealerUsername = '$dealerUsername' AND dealerPassword = md5('$pwd')";
$result = mysql_query($sql);
if (!$result) {
error('A database error occurred while checking your '.
'login details.\\nIf this error persists, please '.
'contact us.');
}
if (mysql_num_rows($result) == 0) {
unset($_SESSION['dealerUsername']);
unset($_SESSION['pwd']);
?>
<html>
<body>
<p>Display Login page again if password is wrong</p>
</body>
<?php
exit;
}
$dealerUsername = mysql_result($result,0,'dealerUsername');
$dealerID = mysql_result($result,0,'dealerID');
?>
我检查了PHP的设置和注册全局开启时,有什么事我可以试试。奇怪的是只有一个用户可以登录。它就像脚本没有检查整个表,只查看第一个SQL Row。
任何帮助将不胜感激。
出于某种原因,脚本在5个小时后重新开始工作,查看代码。如果你看到任何改进脚本的方法,以便它更安全,请告知。 –
难道你的主机不推荐使用'mysql_'并转移到'mysqli'?仅供参考:在SO上这么说过很多次,使用'mysql_'开放注入。 –
您的代码易受SQL注入攻击。在查询中使用它之前,您需要清理* ALL *用户输入或使用准备好的语句。 – j883376