使用PHP来匹配用户名和密码与HTML下拉

Question

我有一个名为学校的MySQL数据库是这样设置的： schoolID（1），schoolName（学校1），schoolCounty（白金汉郡），schoolUsername（school1admin）， schoolPassword（school1password）

我现在有一个下拉菜单，显示的学校名单，当我输入任何用户名和密码进入HTML登录表单我都可以登录。

我似乎无法正常工作出我如何设置它，取决于学校的选择取决于使用的用户名和密码。

例如，如果我选择school1，那么我只能使用school1的用户名和密码。

这是我到目前为止的index.php文件：

<?php 

require_once 'databaseConnect.php'; // connects to the databse via this file 
if ($conn->connect_error) die ($conn->connect_error); // check the connection to the database. If failed, display error 


$sql = "SELECT * FROM school"; 
$result = $conn->query($sql); 


$conn->close(); 
?> 


<html> 
    <body> 
     <title>EduKode</title> 




     <div id="login-form-container"> 
      <p>Log In:</p> 

<?php 
echo'<div id="schoolSelection">'; 
echo '<select name="schoolName">'; 
if ($result->num_rows > 0) { 
// output data of each row 
while($row = $result->fetch_assoc()) { 
echo '<option>'. $row["schoolName"]. "<br>"; 
} 
} else { 
echo "0 results"; 
} 
echo '</select>'; 

echo'</div>'; 

//http://stackoverflow.com/questions/10009464/fetching-data-from-mysql-database-to-html-dropdown-list 
?> 

       <form id="login-form" name="contactform" method="post" action="checkSchoolCredentials.php"> <!-- when submitting the form will call the 'authenticate.php' script.--> 
        <div class="contact-form"> 

         <label>Username:</label> 
         <input name="username" type="text"> <!-- students created username field--> 

         <label>Password:</label> 
         <input name="password" type="password"> <!-- students created password field--> 
        </div> 
         <div id="submit-button"> 
          <input type="submit" name="submit" value="Log In"> 
         </div> 
       </form> 
     </div> 

    </body> 
</html> 

这是checkSchoolCredentials.php：

<?php 
require_once 'databaseConnect.php'; // connects to the databse via this file 
if ($conn->connect_error) die ($conn->connect_error); // check the connection to the database. If failed, display error 


if(isset($_POST['submit'])) // if submit button is pressed 
{ 
    $username = $_POST['username']; //assigns the value of the input box username to $username 
    $password = $_POST['password']; //assigns the value of the input box password to $password 

    $query = "SELECT * FROM school WHERE schoolUsername='$username' AND schoolPassword ='$password'"; // Query the database 


    $result=mysqli_query($conn, $query); 
    if(mysqli_num_rows($result) ==1) 
    { 
     session_start(); // start session 
     $_SESSION['auth']='true'; 
     $_SESSION['username'] = $username; // save session as username 
     header('location:taskSelection.php'); // if correct, redirect to taskSelection.php 

    } 
    else 
    { 
     header('location:index.php'); // redirect to index.html if incorrect 


    } 

} 


$conn->close(); 

?> 

Answer 1

你接近，你有什么是也送schoolname并检查是否所有的变量设置：

if (isset($POST['username'],$POST['userpassword'],$POST['schoolName'])

然后只需更换：

$query = "SELECT * FROM school WHERE schoolUsername='$username' AND schoolPassword ='$password'"; // Query the database 

有：

$query = "SELECT * FROM school WHERE schoolUsername='$username' AND schoolPassword ='$password' AND schoolName='$schoolName'"; // 

现在你要知道现在我的查询仍然很糟糕，因为它容易受到SQL注入。你必须使用prepare statements instead：

$sql = "SELECT * FROM school WHERE schoolUsername=? AND schoolPassword = ? AND schoolName=?"; 
if ($query = $conn->prepare($sql)){ 
    $query->bind_param("s", $username,$password,$schoolName); 
    $stmt->bind_result($result); 
    while($stmt->fetch()){ 
    // you can work with $result which is an array containing a line of the results 
    } 

Answer 2

添加AND schoolName = "$schoolName"到您的SQL语句