我正在学习PHP,我已经制作了一个简单的登录脚本,但问题是它只是将我重定向到空白页面。如果用户凭据正确,则意味着重定向到index.php,但显然不是这种情况?还有验证,如果用户输入空白,则返回错误。这似乎没有被执行。
的login.php
<form id="login-form" method="post" action="logininc.php"> <fieldset>
<legend>Login </legend>
<p>Please enter your username and password to access the administrator's panel</p>
<label for="user"> <input type="text" name="user" placeholder="Type your username here" id="user" /></label>
<label for="password"> <input type="password" name="password" placeholder="Type your password here" id="password" /></label>
<label for="submit"> <input type="submit" class="btn btn-primary"name="submit" id="submit" value="Login" /> </label> </fieldset> </form>
logininc.php //我的处理页面
<?php
require_once("assets/configs/db_config.php");
$user=$_POST['user'];
$password=$_POST['password'];
if(isset($_POST['login']))
{
//To ensure that none of the fields are blank when submitting the form if
if($user || $password != NULL)
{
$user = stripslashes($user);
$password = stripslashes($password);
$user = mysqli_real_escape_string($user);
$password = mysqli_real_escape_string($password);
$sql="SELECT * FROM $test_db WHERE user='$user' and password='$password'";
$result=mysqli_query($sql);
$row=mysql_fetch_array($result);
if($row['user'] == $user && $row['password'] == $password)
{
session_start();
$_SESSION['user'] = $user;
$_SESSION['password'] = $password;
$_SESSION['loggedin'] = "true";
header("location:index.php");
}
else
{
print ('<div id="error">Computer says no.</div>');
}
print ('<div id="error">Enter something!</div>');
}
}
?>
index.php //成功页面
<?php //module to check logins
session_start();
if(!isset($_SESSION["loggedIn"])){
header("Location: login.php");
exit;
}
Echo 'Congratulations <b>'.$_SESSION['user'].'</b> you successfully logged in!!<br />
Your Password is: <b>'.$_SESSION['password'].'</b><br />
<a href="login.php">Logout</a>';
?>
答案 0 :(得分:2)
$row = mysql_fetch_array
应为$row = mysqli_fetch_array
正如其他人已经提到的那样,使用
if(isset($_POST['user']) && isset($_POST['password'])) {
// your code here
}
和顺便说一句:使用只说“loggedin = true”或“login = yes”等的会话是安全的
编辑(安全性讨论):
密码应始终加密保存(注册):
function login($email, $password) {
$email = mysql_real_escape_string($email);
$q = "SELECT id, email, password, salt FROM members WHERE email='" . $email . "'";
$result = mysql_query($q, $this->connection);
$output = mysql_fetch_assoc($result);
$user_id = $output['id'];
$database_username = $output['username'];
$database_email = $output['email'];
$database_password = $output['password'];
$password = hash('sha512', $password);
if($database_password == $password) {
$user_browser = $_SERVER['HTTP_USER_AGENT'];
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
$_SESSION['user_id'] = $user_id;
$_SESSION['username'] = $email;
$login_hash = hash('sha512', $password.$user_browser);
$_SESSION['login_hash'] = $login_hash;
} else {
return false;
}
} // function
function login_check() {
$user_id = $_SESSION["user_id"];
$login_hash = $_SESSION["login_hash"];
$email = $_SESSION["username"];
$user_browser = $_SERVER['HTTP_USER_AGENT'];
$q = "SELECT password FROM members WHERE id ='" . $user_id . "'";
$result = mysql_query($q, $this->connection);
$output = mysql_fetch_assoc($result);
$database_password = $output['password'];
if(mysql_num_rows($result) == 1) {
$login_check = hash('sha512', $database_password.$user_browser);
if($login_check == $login_hash) {
return true;
} else {
return false;
}
} else {
return false;
}
}
此外,您可以为每个用户创建一个随机盐(注册),将您的安全级别设置得更高(注意:hash(hash(hash(...)))会降低您的安全级别,因为您丢失了信息在哈希过程中)
注意:这只是一个具有高安全级别的(工作)示例login / -check脚本。仍然可以改进此脚本(bruteforce,mysqli / prepared语句,直接在表单中散列密码,安全会话,......)
答案 1 :(得分:1)
将if(isset($_POST['login']))
更改为if(isset($_POST['submit']))
时会发生什么?
答案 2 :(得分:0)
问题是if(isset($_POST['login']))
您永远不会在表单中设置“登录”条目。
你可以这样做:
if(isset($_POSt["user"]) && isset($_POST["password"])) {
$user=$_POST['user'];
$password=$_POST['password'];
//To ensure that none of the fields are blank when submitting the form if
if($user && $password) {
答案 3 :(得分:0)
首先,提交按钮的名称是“提交”。而且你正在检查“登录”是否发布。
if(isset($_POST['login']))
{
应该是:
if(isset($_POST['submit']))
{
你写过:
if($user || $password != NULL)
{
应该是:
if($user != NULL || $password != NULL)
{
您使用过mysqli和mysql命令,这不是一个好习惯
$result=mysqli_query($sql);
$row=mysql_fetch_array($result);
而不是
if($row['user'] == $user && $row['password'] == $password)
{
//this code again check for condition which is already checked in the sql statement
更好的做法是写:
if($row->num_rows==1)
{
你在index.php中写过
if(!isset($_SESSION["loggedIn"])){
应该是
if(!isset($_SESSION["loggedin"])){
因为您在存储到会话时存储了小写索引。