我试图登录使用该code：

I am trying to log in using this code :

session_start();

require "connect.php";

$username = $_POST['username'];
$password = $_POST['password'];

  if($username&&$password)
 {
$query = mysql_query("SELECT * FROM users WHERE username='$username'");
$numrow = mysql_num_rows($query);

if($numrow!=0)
{
    while($row = mysql_fetch_assoc($query))
    {
        $db_username = $row['username'];
        $db_password = $row['password'];
    }

    if($username==$db_username&&$password==$db_password)
    {
        //echo 1;
        header("Location: members.php");
        $_SESSION['username']=$db_username;

    }
    else echo 0;
}
else die("That user doesn't exist");
    }
     else die("Please enter a username and password");

在成功登录后，应该带我去members.php：

upon successful log in it should take me to members.php :

 session_start();
 if($_SESSION['username'])  <------ this is line 5
   {
echo "20730312";
echo " You are logged in as: ".$_SESSION['username'];
echo "<p><a href='logout.php'>Click here to logout</a>";
    }

但是当我要求members.php在我的应用程序它给了我：

but when i request members.php in my application it gives me :

Notice: Undefined index: username in E:\Program Files\xampp\htdocs\adddrop\members.php on line 5

请注意，我使用的Andr​​oid的WebView要求成功登录后members.php，这是正确的？我究竟做错了什么？

note that i am using android webview to request members.php after successful log in, is this right ? what am i doing wrong ?

推荐答案

在一个侧面说明：你有一个SQL注入存在。可能想阅读更多： http://en.wikipedia.org/wiki/SQL_injection

On a side note: you have an SQL injection there. Might want to read more: http://en.wikipedia.org/wiki/SQL_injection

您所面临的问题是，该用户名不是总是POST'd（当你只是加载网页第一次）：

The problem you are facing is that the username is not always POST'd (when you just load the page first time):

$username = isset($_POST['username']) ? $_POST['username'] : null;
$password = isset($_POST['password']) ? $_POST['password'] : null;

这应该修复它。基本上，我检查POST索引设置，且仅当它是我尝试访问它，否则我将它设置为空。

That should fix it. Basically, I check if the POST index is set, and only if it is I try to access it, otherwise I set it to null.

另外，你可能想要做这样的：

Also, you might want to do it like this:

$query = mysql_query("SELECT * FROM users WHERE username='" . mysql_real_escape_string($username) . "'");

这prevents的SQL注入漏洞。

That prevents the SQL injection vulnerability.

，并添加退出; ：

header("Location: members.php");
$_SESSION['username']=$db_username;
exit; // Add this.