Login system with mysqli

2019-09-11 09:24发布

站内问答 / PHP
761 2 3

I would like to get some clear information or reply how to solve the next issue.

Currently i used MySQL connection, but now i want to move onto MySQLi. I dont want to use PDO, so please do not prefer it.

The new mysqli code is this, but its not working also i think i used a bit too much else, which is not needed.

<?php
include('includes/functions.php');
session_start();   
if(isset($_POST['login'])) {
if(isset($_POST['username'])) {
    if(isset($_POST['password'])) {
        $username = $_POST['username'];
        mysqli_query($query, "SELECT * FROM cm_users WHERE Username = '$username'") or die(mysql_error());
        foreach ($query as $user)
        if(sha3($_POST['password'],256) == $user['Password']) {
            $_SESSION['user'] = $user['Username'];
        if(isset($_POST['g-recaptcha-response'])){
            $captcha=$_POST['g-recaptcha-response'];
            }
        if(!$captcha){
            header("Location: login.php");
            echo "<button class='btn btn-block btn-warning btn-sm'>Please check your login details.</button>";
        exit;
        }
        $response=file_get_contents("https://www.google.com/recaptcha/api/siteverify?secret=******&response=".$captcha."&remoteip=".$_SERVER['REMOTE_ADDR']);
        if($response.success==false)
        {
        echo '<h2>You are spammer ! Get the @$%K out</h2>';
        } else {
        echo '<h2>Thanks for posting comment.</h2>';
        }
            header("Location: redirect.php");
        } else {
            echo "<button class='btn btn-block btn-warning btn-sm'>Please check your login details.</button>";
            include('login.php');
        }
        } else {
            echo "<button class='btn btn-block btn-warning btn-sm'>Please check that you filled out the login form!</button>";
            include('login.php');
        }
}
}
?>

Any idea how to fix the issue to get work?

标签: php mysql mysqli
举报
2条回答
狗以群分
2楼-- · 2019-09-11 10:00

Making this as a wiki - I have nothing to gain from this, but more for the OP and future visitors to the question.

Pulled from comments and slightly modified:

Firstly, you're still mixing APIs using mysql_error() where it should read as mysqli_error($query) assuming that $query is your connection variable used in your connection codes.

Then this is failing you foreach ($query as $user) because there is nothing assigned to $query (for the query), as you are checking a foreach against your db connection's variable and that alone should have thrown you an error, had you used the right error function.

Being mysqli_error($query) where that function requires a database connection as a parameter.

Your present code is open to SQL injection. Use mysqli_* with prepared statements, or PDO with prepared statements.

As suggested, use one of ircmaxell's answers and using a better hashing/query function.

Pulled from his answer:

Just use a library. Seriously. They exist for a reason.

Don't do it yourself. If you're creating your own salt, YOU'RE DOING IT WRONG. You should be using a library that handles that for you.

$dbh = new PDO(...);

$username = $_POST["username"];
$email = $_POST["email"];
$password = $_POST["password"];
$hash = password_hash($password, PASSWORD_DEFAULT);

$stmt = $dbh->prepare("insert into users set username=?, email=?, password=?");
$stmt->execute([$username, $email, $hash]);

And on login:

$sql = "SELECT * FROM users WHERE username = ?";
$stmt = $dbh->prepare($sql);
$result = $stmt->execute([$_POST['username']]);
$users = $result->fetchAll();
if (isset($users[0]) {
    if (password_verify($_POST['password'], $users[0]->password) {
        // valid login
    } else {
        // invalid password
    }
} else {
    // invalid username
}
查看更多
0人赞 添加讨论(0) 举报
Emotional °昔
3楼-- · 2019-09-11 10:11

@Fred -ii- answered my question, so he helped a lot :)

and there you go ;-) assign a variable to the query other than your db connection. solved. $other_var = mysqli_query($connection, query)... and use that variable in your foreach. would you like my comments as an answer? ;-) – Fred -ii-

test = mysqli_query($query, "SELECT * FROM cm_users WHERE Username = '$username'") or die(mysqli_error($query)); foreach ($test as $user) like that?:D

you missed the $ --- $test = mysqli_query.... sure. then foreach($test..). – Fred -ii-

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(3)