简单登录返回空白页面

时间:2013-07-24 09:00:55

标签: php

我正在学习PHP,我已经制作了一个简单的登录脚本,但问题是它只是将我重定向到空白页面。如果用户凭据正确,则意味着重定向到index.php,但显然不是这种情况?还有验证,如果用户输入空白,则返回错误。这似乎没有被执行。

的login.php 

<form id="login-form" method="post" action="logininc.php"> <fieldset> 
  <legend>Login </legend> 
  <p>Please enter your username and password to access the administrator's panel</p>

   <label for="user"> <input type="text" name="user" placeholder="Type your username here" id="user" /></label> 
   <label for="password"> <input type="password" name="password" placeholder="Type your password here" id="password" /></label>
   <label for="submit"> <input type="submit" class="btn btn-primary"name="submit" id="submit" value="Login" /> </label> </fieldset> </form>

logininc.php //我的处理页面

<?php

require_once("assets/configs/db_config.php");
$user=$_POST['user']; 
$password=$_POST['password'];

if(isset($_POST['login']))
{
//To ensure that none of the fields are blank when submitting the form if
if($user || $password != NULL)
    {
        $user = stripslashes($user);
        $password = stripslashes($password);
        $user = mysqli_real_escape_string($user);
        $password = mysqli_real_escape_string($password);

        $sql="SELECT * FROM $test_db WHERE user='$user' and password='$password'";
        $result=mysqli_query($sql);

        $row=mysql_fetch_array($result);

        if($row['user'] == $user && $row['password'] == $password)
        {
            session_start();
            $_SESSION['user'] = $user;
            $_SESSION['password'] = $password;
            $_SESSION['loggedin'] = "true";
            header("location:index.php");
        }
        else
        {
            print ('<div id="error">Computer says no.</div>');

        }
            print ('<div id="error">Enter something!</div>');

}
}



    ?>

index.php //成功页面

 <?php //module to check logins
 session_start();

 if(!isset($_SESSION["loggedIn"])){
     header("Location: login.php");
     exit;
 }
 Echo 'Congratulations <b>'.$_SESSION['user'].'</b> you successfully logged in!!<br />
         Your Password is: <b>'.$_SESSION['password'].'</b><br />
         <a href="login.php">Logout</a>';
 ?>

4 个答案:

答案 0 :(得分:2)

$row = mysql_fetch_array应为$row = mysqli_fetch_array

正如其他人已经提到的那样,使用

if(isset($_POST['user']) && isset($_POST['password'])) {


// your code here


}

和顺便说一句:使用只说“loggedin = true”或“login = yes”等的会话是安全的

编辑(安全性讨论):

密码应始终加密保存(注册):

function login($email, $password)   {
    $email = mysql_real_escape_string($email);
    $q = "SELECT id, email, password, salt FROM members WHERE email='" . $email . "'";
    $result = mysql_query($q, $this->connection);
        $output = mysql_fetch_assoc($result);
        $user_id = $output['id'];
        $database_username = $output['username'];
        $database_email = $output['email'];
        $database_password = $output['password'];


        $password = hash('sha512', $password);

            if($database_password == $password) {
                $user_browser = $_SERVER['HTTP_USER_AGENT']; 
                $user_id = preg_replace("/[^0-9]+/", "", $user_id);
                $_SESSION['user_id'] = $user_id;
                $_SESSION['username'] = $email;
                $login_hash = hash('sha512', $password.$user_browser);
                $_SESSION['login_hash'] = $login_hash;
        }   else    {
            return false;
        }
} // function

function login_check()  {
    $user_id = $_SESSION["user_id"];
    $login_hash = $_SESSION["login_hash"];
    $email = $_SESSION["username"];
    $user_browser = $_SERVER['HTTP_USER_AGENT'];

    $q = "SELECT password FROM members WHERE id ='" . $user_id . "'";
    $result = mysql_query($q, $this->connection);
    $output = mysql_fetch_assoc($result);
    $database_password = $output['password'];

    if(mysql_num_rows($result) == 1)    {

        $login_check = hash('sha512', $database_password.$user_browser);
        if($login_check == $login_hash) {
                return true;
            } else { 
                return false; 
        }
    } else  {
        return false; 
    }
}

此外,您可以为每个用户创建一个随机盐(注册),将您的安全级别设置得更高(注意:hash(hash(hash(...)))会降低您的安全级别,因为您丢失了信息在哈希过程中)

注意:这只是一个具有高安全级别的(工作)示例login / -check脚本。仍然可以改进此脚本(bruteforce,mysqli / prepared语句,直接在表单中散列密码,安全会话,......)

答案 1 :(得分:1)

if(isset($_POST['login']))更改为if(isset($_POST['submit']))时会发生什么?

答案 2 :(得分:0)

问题是if(isset($_POST['login']))

您永远不会在表单中设置“登录”条目。

你可以这样做:

if(isset($_POSt["user"]) && isset($_POST["password"])) {
$user=$_POST['user']; 
$password=$_POST['password'];
//To ensure that none of the fields are blank when submitting the form if
if($user && $password) {

答案 3 :(得分:0)

首先,提交按钮的名称是“提交”。而且你正在检查“登录”是否发布。

if(isset($_POST['login']))
{
应该是:

if(isset($_POST['submit']))
{

你写过:

if($user || $password != NULL)
{
应该是:

if($user != NULL || $password != NULL)
{

您使用过mysqli和mysql命令,这不是一个好习惯

$result=mysqli_query($sql);

    $row=mysql_fetch_array($result);

而不是

if($row['user'] == $user && $row['password'] == $password)
    {
//this code again check for condition which is already checked in the sql statement

更好的做法是写:

if($row->num_rows==1)
    {
你在index.php中写过

if(!isset($_SESSION["loggedIn"])){

应该是

if(!isset($_SESSION["loggedin"])){

因为您在存储到会话时存储了小写索引。

相关问题
最新问题