我有下表
IdUser(int)
用户名(VARCHAR)
密码(VARCHAR)
电子邮件(VARCHAR)
有效(int)的
Active为0或1,具体取决于用户是否验证了电子邮件。如果验证了帐户,则表中的活动行将更新为1.如果未验证帐户,则表中的活动行仍为0。
用户只有在帐户经过验证后才能登录。
到目前为止,我的登录工作方式如下:
//login API
function login($user, $pass) {
// try to match a row in the "login" table for the given username and password
$result = query("SELECT IdUser, username FROM login WHERE username='%s' AND pass='%s' limit 1", $user, $pass);
if (count($result['result'])>0) {
// a row was found in the database for username/pass combination
// save a simple flag in the user session, so the server remembers that the user is authorized
$_SESSION['IdUser'] = $result['result'][0]['IdUser'];
// print out the JSON of the user data to the iPhone app; it looks like this:
// {IdUser:1, username: "Name"}
print json_encode($result);
} else {
// no matching username/password was found in the login table
errorJson('Authorization failed');
}
}
我如何只向经过验证的用户提供登录功能?
答案 0 :(得分:0)
好吧,除非我在您的描述中遗漏了某些内容,否则您只需在AND active=1子句中添加WHERE即可。所以你最终会得到:
SELECT IdUser, username FROM login WHERE username='%s' AND pass='%s' AND active=1 limit 1
<强>更新
//login API
function login($user, $pass) {
// try to match a row in the "login" table for the given username and password
$result = query("SELECT IdUser, username, active, email FROM login WHERE username='%s' AND pass='%s' limit 1", $user, $pass);
if (count($result['result'])>0) {
// a row was found in the database for username/pass combination
if (!$result['result'][0]['active']) {
// not activated yet
errorJson('Not activated yet: ' + $result['result'][0]['email']);
} else {
// save a simple flag in the user session, so the server remembers that the user is authorized
$_SESSION['IdUser'] = $result['result'][0]['IdUser'];
// print out the JSON of the user data to the iPhone app; it looks like this:
// {IdUser:1, username: "Name"}
print json_encode($result);
}
} else {
// no matching username/password was found in the login table
errorJson('Authorization failed');
}
}
顺便说一下,正如其他提到的那样,你的代码似乎对SQL注入很敏感,你似乎在数据库中以原始文本存储密码,这是一种非常糟糕的做法。您应该考虑使用mysqli +占位符进行查询。您还应该在流程中的任何位置对密码进行哈希处理。一种简单的方法(尽管不是最好的)可能是使用MySQL的密码功能。因此,您的查询将简单地更改为:
$result = query("SELECT IdUser, username, active, email FROM login WHERE username=? AND password=PASSWORD(?) limit 1", $user, $pass);
答案 1 :(得分:0)
只需在查询中AND active = 1之前添加limit 1。
另外,您的代码存在一些更广泛的问题:
答案 2 :(得分:0)
这里:
$result = query("SELECT IdUser, username FROM login WHERE username='%s' AND pass='%s' AND emailVerified='1' limit 1", $user, $pass);
其中emailVerified是您的电子邮件验证状态字段名称,请将其替换为您自己的
答案 3 :(得分:0)
首先你必须检查用户是否有效
select active from login where username='%s';//execute this query and check result and store in active..
if(!$active)
{
errorJson("your account is not activated yet!);
}
else
{
//login code
}