-2
我想制作一个PHP登录脚本,当用户登录时,它将删除登录表单,并显示另一个表示“Welcome [user_name]”的div。我在同一页面上运行脚本作为我的html,但查询总是失败。任何人都可以解决这个问题,为什么会发生这种情况?MySQL查询不能正确执行
PHP代码:
<?php include("connect.php")?>
<?php
session_start();
//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
$str = @trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysql_real_escape_string($str);
}
if(isset($_POST['username']) && isset($_POST['username'])){
//Sanitize the POST values
$UserName = clean($_POST['username']);
$Password =(md5($_POST['password']));
//Create query
$qry = "SELECT 'UserName' , 'Password' FROM users WHERE UserName='$UserName' AND Password='$Password'";
$result = mysql_query($qry);
//Check whether the query was successful or not
if($result) {
if(mysql_num_rows($result) > 0) {
//Login Successful
session_regenerate_id();
$member = mysql_fetch_assoc($result);
$_SESSION['SESS_MEMBER_ID'] = $member['mem_id'];
$_SESSION['SESS_FIRST_NAME'] = $member['FName'];
$_SESSION['SESS_LAST_NAME'] = $member['LName'];
//session_write_close();
echo 'SUCCESS';
//loggedin();
//exit();
}
else {
//Login failed
echo 'FAILED.';
//loginfail();
//exit();
}
}
else {
die("Query failed");
}
}
?>
HTML代码:
<form name="user-form" id="user-form" action="members.php" method="POST">
<input type="text" name="username" id="username" placeholder="Username"></input>
<input type="password" name="password" id="password" placeholder="Password"></input>
<br/>
<input type="submit" id="sign" name="Sign In"></input>
</form>
你的帮助会,因为我是新来这个可以理解。
从列中删除所有的单引号名。 'SELECT'UserName','Password''应该是'SELECT UserName,Password' –
你应该绑定变量,而不是sanatize,请看这里:http://stackoverflow.com/questions/4364686/how-do-i-sanitize- input-with-pdo – Mark
@AhhikChakraborty是正确的,如果您愿意,可以将它们切换为'''反引号。 – phpisuber01