PHP mySQL Password issue with extra characters

2019-09-07 15:31发布

站内问答 / PHP
1195 3 5

I'm very new to php and mysql. I have found a great tutorial to create a registration and log in section on a site. I'm managing to deconstruct it pretty well and make minor changes. However...

When logging in, if the password is incorrect it validates and an error is returned. If its correct it logs in.

The issue I have is that if you type the correct password but add extra characters after it neither validates or logs in. Just goes to a blank page. Here is the validation code for the login page -

<?php
include('db.php'); 
if(!isset($_POST['login']))//checking if user has entered this page directly
{
include('form.php');
}
else{
if(isset($_POST['user'])&&$_POST['user']==""||!isset($_POST['user']))
{
$error[] = "Username Field can't be left blank";
$usererror = "1";
}
if(!isset($usererror))
{
$user = mysql_real_escape_string($_POST['user']);
$sql = "SELECT * FROM users WHERE user = '$user'";
if(mysql_num_rows(mysql_query($sql))=="0")//1 means there is one entry same so we print error
{
$error[] = "Can't find a user with this username"; 
}
}
if(isset($_POST['pass'])&&$_POST['pass']==""||!isset($_POST['pass']))
{
$error[] = "password Field can't be left blank";
}
if(isset($error)){
if(is_array($error)){echo "<div class=\"error\"><span>please check the errors and refill the form<span><br/>";
foreach ($error as $ers) {     
echo "<span>".$ers."</span><br/>";
}
echo "</div>";
include('form.php');
}
}
if(!isset($error)){
$suser=mysql_real_escape_string($_POST['user']);
$spass=md5($_POST['pass']);//for secure passwords
$find = "SELECT * FROM users WHERE user = '$suser' AND password = '$spass'";
if(mysql_num_rows(mysql_query($find))=="1"or die(mysql_error())){
session_start();
$_SESSION['username'] = $suser;
header("Location: loggedin.php");
}
else{
echo "<div class=\"warning\"><span>Some Error occured durring processing your data</div>";
}
}
}
?>

Any help will be greatly appreciated...

EDIT

I've just noticed that the only error I get is if NO password is entered. If an incorrect password is entered I get the blank white page. Can anyone help as to why the password is not being verified?

标签: php passwords
举报
3条回答
倾城 Initia
2楼-- · 2019-09-07 15:40

Try this and see if it works.

if(mysql_num_rows(mysql_query($find))=="1") {
  session_start();
  $_SESSION['username'] = $suser;
  header("Location: loggedin.php");
} else {
  echo "<span>Your username or password was incorrect.</span>";
  include "form.php";
  die;
}
查看更多
0人赞 添加讨论(0) 举报
做个烂人
3楼-- · 2019-09-07 15:56

if(mysql_num_rows(mysql_query($find))=="1"or die(mysql_error())){

If the SQL query returns no results (meaning that the password and username didn't match), then the if statement returns false and nothing happens. You should return an error message in that case.

EDIT:

I didn't notice the else statement afterwards. I think the actual problem is die(mysql_error()). When the SQL query returns no results, that if statement will execute die(mysql_error()), which will return a blank because an empty result is not an error.

I suggest you remove die(mysql_error()) and include a separate if statement to check for mysql_errno() (which returns true when there's an error).

if (mysql_errno()) { die(mysql_error()); }

It's worth noting that the mysql_* functions are deprecated in the recent versions of PHP. It's recommended to use MySQLi or PDO to connect to MySQL in PHP.

查看更多
0人赞 添加讨论(0) 举报
ら.Afraid
4楼-- · 2019-09-07 15:57

Use trim() to deal with extra spaces before and after your strings

Looks like a logic issue. You need to use parenthesis to organize your conditionals:

if(
    (isset($_POST['pass'])&&$_POST['pass']=="")
  ||
    !isset($_POST['pass'])
)
查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)