PHP Database user authentication
$con =mysql_connect ("localhost", "root", "123456");
if (! $con)
{
Die (' Could not connect: '. Mysql_error ());
}
mysql_query ("SET NAMES ' UTF8 '"); Set character sets
mysql_select_db ("Manage", $con); Select Database
$sql 1 = "
Select COUNT (*)
From user
where username== "". $_post[' name ']. "and password==" ". $_post[' password ']." "
LIMIT 1
";
$result =mysql_query ($sql 1, $con);
Red part error. Predecessors, there are two questions: first, the current format, how should be changed to make it right. Second, do you do this when validating user information? More simple kind.
Reply to discussion (solution)
$sql 1= "SELECT COUNT (*) from Userwhere username= '". $_post[' name ']. "' and password= '". $_post[' password ']. "' LIMIT 1 ";
Then use Mysql_num_rows to determine whether the row is equal to 1.
Username= '. mysql_real_escape_string ($_post[' name '). "' and password= '". Mysql_real_escape_string ($_post[') Password ']). "
It is best to do a simple anti-injection measure.
http://php.net/manual/en/function.mysql-real-escape-string.php
php5.5 or above, with mysqli_real_escape_string () or Pdo::quote ()
$sql 1 = "SELECT count (*) from Userwhere username= '". $_post[' name ']. "' and password== '". $_post[' password ']. "'";
Or
$sql 1 = "SELECT count (*) from Userwhere username= ' $_post[name] ' and password= ' $_post[password] '";
No LIMIT 1 required
Because there is no group clause, the cluster function obtains only one record
It is necessary to do an escape to the incoming data, at the entrance to the program.
$_post = Array_map (' mysql_real_escape_string ', $_post);
$_post = Array_map (' mysql_real_escape_string ', $_post);
If a $_post is empty, will there be an error?
Using ' $_post[name ' directly in SQL is not an error.
Generally you have to judge first, such as Isset.