我的登录脚本有问题 - 用户注册或我可以在我的管理面板上添加但是当他们去登录时,他们被告知他们的用户名/电子邮件或密码不正确 - 我知道它们都不是,但是有一个盐密码哈希到位。
<?php
// login_process.php
// LOGIN RESPONSES
//
// 1 Login successful
// 0 ...
// -1 Database error
// -2 Data fields empty
// -3 Username/email address not registered
// -4 Password incorrect
// -5
//
include_once("check_login_status.php");
// If user is already logged in, just update page
if($user_ok == true){
header("location: index.php");
exit();
}
// AJAX CALLS THIS LOGIN CODE TO EXECUTE
if(isset($_POST["e"])){
// CONNECT TO DATABASE
include_once("db_conx.php");
// GATHER THE POSTED DATA INTO LOCAL VARIABLES AND SANITIZE
$e = mysqli_real_escape_string($mysqli, $_POST["e"]);
$p = $_POST["p"];
// GET USER IP ADDRESS
$ip = preg_replace('#[^0-9.]#', '', getenv('REMOTE_ADDR'));
// FORM DARA ERROR HANDLING
if($e == "" || $p == ""){
echo -2;
exit();
} else {
// END FORM DATA ERROR HANDLING
$sql = "SELECT mem_id, mem_username, mem_pwd, mem_salt, mem_active, mem_level FROM smd_members WHERE (mem_email='$e' OR mem_username='$e') AND mem_active=1 LIMIT 1";
$query = mysqli_query($mysqli, $sql);
if(mysqli_errno($mysqli)){
echo -1;
exit();
}
if(mysqli_num_rows($query) == 0){
echo -3;
exit();
}
$row = mysqli_fetch_row($query);
$db_id = $row[0];
$db_username = $row[1];
$db_pass_str = $row[2];
$db_pass_salt = $row[3];
$db_active = $row[4];
$db_level = $row[5];
$salt_complete = '$2y$14$'.$db_pass_salt;
// encrypt password with salt
$crypt = crypt($p, $salt_complete);
if($db_active == 0){
header("location: ../reactivate.php?u=".$db_id);
}
if($crypt != $db_pass_str){
echo -4;
exit();
} else {
// CREATE THEIR SESSIONS AND COOKIES
$_SESSION['userid'] = $db_id;
$_SESSION['username'] = $db_username;
$_SESSION['password'] = $db_pass_str;
$_SESSION['level'] = $db_level;
setcookie("id", $db_id, strtotime('+30 days'), "/", "", "", TRUE);
setcookie("user", $db_username, strtotime('+30 days'), "/", "", "", TRUE);
setcookie("pass", $db_pass_str, strtotime('+30 days'), "/", "", "", TRUE);
setcookie("level", $db_level, strtotime('+30 days'), "/", "", "", TRUE);
// UPDATE THEIR "IP" AND "LASTLOGIN" FIELDS
$sql = "UPDATE smd_members SET mem_lastip='$ip', mem_lastlogin=now() WHERE mem_username='$db_username' LIMIT 1";
$query = mysqli_query($mysqli, $sql);
echo 1;
exit();
}
}
exit();
}
?>
答案 0 :(得分:0)
<?php
// signup_process.php
if(!isset($_POST["e"])){
// user has got here incorrectly
// redirect back to index.php (TODO...)
echo -10;
exit();
}
include_once("db_conx.php");
// get all varibles and make them db safe
$f = mysqli_real_escape_string($mysqli, $_POST["f"]);
$l = mysqli_real_escape_string($mysqli, $_POST["l"]);
$e = mysqli_real_escape_string($mysqli, $_POST["e"]);
$p = $_POST["p"];
$u = mysqli_real_escape_string($mysqli, $_POST["u"]);
$a = $_POST["a"];
$id; // temp holder for later
// first check username or email is not used
$query = "SELECT mem_id FROM smd_members WHERE mem_username = '$u' OR mem_email = '$e'";
$result = mysqli_query($mysqli, $query);
if(mysqli_errno($mysqli)){
// error with db
error_log("E: ".$_SERVER['REQUEST_TIME']." ".__FILE__." ".__LINE__." Database error - ".mysqli_error($mysqli)."\n",0);
echo 0;
exit();
}
elseif(mysqli_num_rows($result)){
// username or email address already used
echo -1;
exit();
}
// crypt password with random salt using Blowfish
// create salt
$salt = "";
$salt_chars = array_merge(range('A','Z'), range('a','z'), range(0,9));
for($i = 0; $i < 22; $i++){
$salt .= $salt_chars[array_rand($salt_chars)];
}
$salt_complete = '$2y$14$'.$salt;
// encrypt password with salt
$crypt = crypt($p, $salt_complete);
// get user ip
$ip = $_SERVER['REMOTE_ADDR'];
$query = "INSERT INTO smd_members (mem_username, mem_firstname, mem_lastname, mem_email, mem_pwd, mem_salt, mem_signedup, mem_lastlogin, mem_signupip, mem_lastip, mem_avatarid, mem_active, mem_level) VALUES ('$u', '$f', '$l', '$e', '$crypt', '$salt', NOW(), NOW(), '$ip', '$ip', 0, 1, ".intval($a).")";
mysqli_query($mysqli, $query);
if(mysqli_errno($mysqli)){
// error with db
error_log("E: ".$_SERVER['REQUEST_TIME']." ".__FILE__." ".__LINE__." Database error - ".mysqli_error($mysqli)."\n",0);
echo 0;
exit();
}
else{
$id = mysqli_insert_id($mysqli);
}
// now create login session and cookie. COOKIES!!!
// if all good, send ok message
echo $id;
exit();
?>