所以这让我发疯!如果用户名正确,那么它会完全很好地比较密码,但如果用户名错误,则不会发生比较,并且会向我抛出此错误。我想将数据库值与用户输入的值进行比较。
<?php
$nm = $_POST['nm'];
$pw = $_POST['pw'];
try{
$pdo = new PDO('mysql:host=localhost;dbname=gold-market_main', 'root', '');
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}catch(PDOException $e) {
echo "Connection failed: ".$e->getMessage();
die();
}
if($nm == null){
die("Feld darf nicht leer sein!");
} elseif(ctype_alpha($nm[0]) or ctype_digit($nm[0])){
$sql = "SELECT k_nutzername, k_passwort FROM kunden WHERE k_nutzername IN('$nm');";
$result = $pdo->query($sql);
$row = $result->fetch(PDO::FETCH_ASSOC);
if("{$row['k_nutzername']}" != $nm) {
//header("Location: login_wrongUN.html");
print("nm wrong");
} elseif("{$row['k_passwort']}" != $pw) {
//header("Location: login_wrongPW.html");
print("pw wrong");
} else {
header("Location: konto.html");
}
}else{
die("Nutzername muss mit einem buchstaben oder einer Zahl beginnen!");
}
$pdo = null;
?> 
你可以做类似的事情。但是,它不能防止不安全的密码 a> 也不是定时攻击。
setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); }catch(PDOException $e) { echo "Connection failed: ".$e->getMessage(); die(); } if($nm == null){ die("Feld darf nicht leer sein!") } //ctype does not protect $sql = $pdo->prepare("SELECT k_nutzername, k_passwort FROM kunden WHERE k_nutzername = ?;"); $sql->bindValue(1,$nm,PDO::PARAM_STR); //bind a value to a query, called parametrized queries, most secure way against SQL injection. $sql->execute(); $row = $sql->fetch(PDO::FETCH_ASSOC); if(!$row) { // if the username not exists //header("Location: login_wrongUN.html"); print("nm wrong"); } elseif($row['k_passwort'] != $pw) { //header("Location: login_wrongPW.html"); print("pw wrong"); } else { header("Location: konto.html"); } $pdo = null; ?>