您的位置: 首页  >  技术问答  >  仅显示正确的电子邮件地址会话但用户名错误

仅显示正确的电子邮件地址会话但用户名错误

分类: 技术问答 2022-03-12 20:23:41

仅显示正确的电子邮件地址会话但用户名错误

问题描述:

One thing I recognized is that the clause I set in the PDO Prepared is only two clauses like this:

 WHERE myemail = :myemail AND mypassword = :mypassword

So, what I want to try now is that I want to set three clause in the PDO Prepared, like this:

 WHERE myemail = :myemail, mypassword = :mypassword, AND username = :username

But I am not sure if I do that correctly. I am just learnig php (self-taught).

I ask this question is because the index page only shows the correct session of email address but wrong username.

When I log in from username of "someone" with email of "someone@mail.com", the index page show the correct username and email address with the session.

However, when I log in from username of "somebody" with email of "somebody@mail.com", the index page show the correct email (somebody@ymail.com) but with the wrong username (someone) not (somebody).

Here is my code:

// Define $myusername and $mypassword
   $myemail=$_POST['myemail']; 
   $mypassword=$_POST['mypassword']; 


// We Will prepare SQL Query
   $STM = $dbh->prepare("SELECT * FROM newuser WHERE myemail = :myemail AND mypassword = :mypassword");


// bind paramenters, Named paramenters alaways start with colon(:)
   $STM->bindParam(':myemail', $myemail);
   $STM->bindParam(':mypassword', $mypassword);

// For Executing prepared statement we will use below function
   $STM->execute();

// Count no. of records 
   $count = $STM->rowCount();

//just fetch. only gets one row. So no foreach loop needed :)
  $row  = $STM -> fetch();



// User Redirect Conditions will go here
    if ( $count == 1 )  {
       $_SESSION['login_id'] = $row['id'];
       $_SESSION['username'] = $row['username']; // added
       $_SESSION['myemail'] = $row['myemail']; // added

    if ( $_SESSION['login_id'] != '' || $_SESSION['login_id'] > 0 ) { // edited
        header("location: index.php");  
    } else { 
        header("location: login3.html");  
    }
}

 <?php
 include('UserSessionAdmin.php');
 $username = $_SESSION['username'];
 $myemail = $_SESSION['myemail'];
 ?>
 <body>
 <?php echo $username; ?>
 <?php echo $myemail; ?>
 </body>

UserSessionAdmin.php

<?php
session_start();

if ( $_SESSION['login_id'] == 0 || $_SESSION['login_id'] == '' ) {
    header('location: login.html');
    exit();
}

require_once('configPDO.php');
?>

Update:

When I added echo var_dump($row); before the line $count==1, the page shows up with this result:

array(6) { ["username"]=> string(8) "Somebody" [0]=> string(8) "Somebody" ["myemail"]=> string(17) "somebody@mail.com" [1]=> string(17) "somebody@mail.com" ["mypassword"]=> string(8) "thebest2" [2]=> string(8) "thebest2" }

Well from what you are saying this is very strange, here is how I would debug it:

 header("location: index.php?username=".$row['username]."&myemail=".$row['myemail']);

then 

 <?php
 include('UserSessionAdmin.php');
 //$username = $_SESSION['username'];
 //$myemail = $_SESSION['myemail'];
 $username = $_GET['username'];
 $myemail = $_GET['myemail'];
 ?>
 <body>
 <?php echo $username; ?>
 <?php echo $myemail; ?>
 </body>

This isn't a direct answer, this will help you narrow down the issue.

If this works it is clear that the SESSION is responsible for this.

EDIT:

$_GET was used just for the sake of debugging, of course it is not meant for that.

Now we know its the session, you always need to make sure it is started.

When you set it:

if ( $count == 1 )  {
    session_start();
    $_SESSION['login_id'] = $row['id'];
    $_SESSION['username'] = $row['username'];
    $_SESSION['myemail'] = $row['myemail'];
    ...
}

When you get it:

include('UserSessionAdmin.php');
session_start();//again!
$username = $_SESSION['username'];
$myemail = $_SESSION['myemail'];


WHERE myemail = :myemail, mypassword = :mypassword, AND username = :username

Just throw another AND in there:

WHERE myemail = :myemail AND mypassword = :mypassword AND username = :username

When I log in from username of "someone" with email of "someone@mail.com", the index page show the correct username and email address with the session.

You should be using the data from the database as the source of truth, not what the user entered in a form. Do your query and rely on data in your result set only.

You use AND between each of the clauses in a WHERE query, so like this:

WHERE myemail = :myemail AND mypassword = :mypassword AND username = :username

The , is used for selecting fields. (And some other things, but not for stringing together a WHERE clause)

EDIT: the question has been severely altered since this answer was given, so it's no longer relevant.

相关推荐