以下是我的php登录脚本,有一个问题。如果我输入任何密码,那么它不会验证密码,而是进入用户面板页面。在我的代码中哪里出错,任何人都可以告诉我正确的方向
N:B:我是PHP的新手本新网站。
<?php
if(isset($_POST['action']) && isset($_POST['action']) == 'Log In')
{
$uname = mysql_real_escape_string(trim(htmlspecialchars($_POST['uname'])));
$pass = mysql_real_escape_string(trim(htmlspecialchars($_POST['pass'])));
$crytpass = hash('sha512','$pass');
$err = array();
include_once("toplevel/content/manage/dbcon/dbcon.php");
// check username
$check_uname = mysql_query("SELECT uname FROM members WHERE uname = '$uname'");
$num_uname = mysql_num_rows($check_uname);
// check password
$check_pass = mysql_query("SELECT pass FROM members WHERE pass = '$crytpass'");
$num_pass = mysql_num_rows($check_pass);
/// userid
$userid = mysql_query("SELECT userid FROM members");
$re = mysql_fetch_array($userid);
$userid = (int) $re['userid'];
if(isset($uname) && isset($pass))
{
if(empty($uname) && empty($pass))
$err[] = "All field required";
else
{
// username validation process....
if(empty($uname))
$err[] = "Username required";
else
{
if($num_uname == 0)
$err[] = "Username is not correct";
}
// password validaiton process...
if(empty($pass))
$err[] = "Password required";
else
{
if($num_pass == 0)
$err[] = "Password is not correct";
}
}
}
if(!empty($err))
{
foreach($err as $er)
{
echo "<font color=red>$er<br></font>";
}
}
else
{
include("user/include/newsession.php");
header("Location:user/index.php");
}
}
?>
答案 0 :(得分:2)
这里有很多错误
替换
if (isset ( $_POST ['action'] ) && isset ( $_POST ['action'] ) == 'Log In') {
用
if (isset ( $_POST ['action'] ) && $_POST ['action'] == 'Log In') {
要替换的东西太多了..在我为你重写剧本时坚持
修改1
if (isset ( $_POST ['action'] ) && $_POST ['action'] == 'Log In') {
$uname = prepareStr ( $_POST ['uname'] );
$pass = prepareStr ( $_POST ['pass'] );
$shaPass = hash ( 'sha512', $pass );
$errors = array ();
include_once ("toplevel/content/manage/dbcon/dbcon.php");
if (! isset ( $uname ) || empty ( $uname )) {
$err [] = "Empty Username not allowed";
}
if (! isset ( $pass ) || empty ( $pass )) {
$err [] = "Empty Password not allowed";
}
if (count ( $err ) == 0) {
$mysqli = new mysqli ( "localhost", "root", "", "test" ); // Replace with
// DB
// Information
$result = "SELECT uname ,pass FROM members WHERE uname = '$uname' AND pass = '$shaPass'";
if ($result->num_rows > 0) {
$err [] = "Invalid username or Password";
}
if (count ( $err ) == 0 && $result) {
$userInfo = $result->fetch_assoc ();
/**
* You can do what every you like here
*/
}
}
if (count ( $err ) > 0) {
/**
* Kill the user
*/
echo "<pre>";
foreach ( $err as $value ) {
echo $value . "\n";
}
die ( "Die! Die! Die!" );
}
}
function prepareStr($str) {
$str = htmlspecialchars ( $str );
$str = trim ( $str );
$str = mysql_real_escape_string ( $str );
return $str;
}
由于
答案 1 :(得分:1)
你不应该告诉你的用户用户名是否错误,这使得暴力破解尝试更容易入侵。
<?php
if(isset($_POST['action']) && $_POST['action'] == 'Log In') {
$userid = false;
$uname = mysql_real_escape_string(trim(htmlspecialchars($_POST['uname'])));
// or better
// $uname = filter_var($_POST['uname'], FILTER_SANITIZE_STRING);
$pass = $_POST['pass'];
$crytpass = hash('sha512',$pass);
$err = array();
include_once("toplevel/content/manage/dbcon/dbcon.php");
$q = mysql_query("SELECT userid FROM members WHERE uname = '$uname' AND pass='$cryptpass'");
if(mysql_num_rows($q) > 0){
$re = mysql_fetch_array($q);
$userid = (int) $re['userid'];
} else {
// username or password wrong
)
if($userid) {
// successfull login
}
}