使用PDO登录脚本

时间:2014-06-25 09:34:10

标签: php mysql pdo

我正在实施一个无法正常工作的登录脚本。我希望用户能够使用他们的用户名或电子邮件登录。我有两张桌子:

用户 - 包含登录信息(用户名,密码,电子邮件,isactive)

userprofile - 包含个人资料信息

问题/ ERRORS

  1. 使用电子邮件地址登录无效。
  2. 如果仅输入用户名,将密码字段留空,则用户仍然会登录。
  3. 代码(主动检查用户的帐户是否在电子邮件验证后被激活)

        $uname = htmlspecialchars($_POST['username']);
        $pword = htmlspecialchars($_POST['password']);
        $isActive = 1;
        $getId = 0;
            try{
        $stmt = $db->prepare("SELECT * FROM user WHERE username = :username OR email = :email AND password = :password AND isactive = :isactive");
        $stmt->execute(array(':username' => $uname, ':email' => $uname, ':password' => $pword, ':isactive' => $isActive));
        $numrows = $stmt->fetch(PDO::FETCH_ASSOC);
        //to enable me count number of rows returned
        $number = $stmt->fetch(PDO::FETCH_NUM);
    
    
        $_SESSION['username'] = $numrows['username'];
        $getId = $numrows['Id'];//get the id of the user
    
        }catch(PDOException $ex){
        echo 'QUERY ERROR: ' . $ex->getMessage();
          }
    
    
        /*this checks to see that the user has a profile (userId is a foreign key, thus  user.Id = userprofile.userId always)*/
         try{
           $query = $db->prepare("SELECT * from userprofile WHERE userId = :userId");
           $query->execute(array(':userId' => $getId));
           $row = $query->fetchAll();
    
           }catch(PDOException $exc){
        echo 'QUERY ERROR: ' . $exc->getMessage();
         }
    
           //Check results and log user in
            if(count($number) == 1 && count($row) == 1){
    
            header("Location: index.php");
        }
            else {$errorMessage = "<p style='color:#ff851b'>Invalid username or password</p>";}
    

    我需要修改哪些才能使其正常工作?感谢

3 个答案:

答案 0 :(得分:2)

您也可以在查询中轻松添加行数:

并调整查询:

SELECT *, count(*) AS numrows 
FROM user 
WHERE (username = :username OR email = :email) AND 
       password = :password AND isactive = :isactive 

请进行以下更改:

$stmt->execute(array(':username' => $uname, 
                     ':email' => $uname, 
                     ':password' => $pword, 
                     ':isactive' => $isActive));

$row = $stmt->fetch(PDO::FETCH_ASSOC);

if(!$row){
   throw new Exception('User not found');
}

//get user data
$numrows = (int)$row['numrows'];
if($numrows === 1){
    //found a user
    $_SESSION['username'] = $row['username'];
    $id = $row['Id'];
}

答案 1 :(得分:0)

我看到的主要问题是这个问题;需要一些括号:

在:

$stmt = $db->prepare("SELECT * FROM user WHERE username = :username OR email = :email AND password = :password AND isactive = :isactive");

后:

$stmt = $db->prepare("SELECT * FROM user WHERE ((username = :username AND password = :password) OR (email = :email AND password = :password)) AND isactive = :isactive");

另外,在这一行中,您要将$uname分配给username email - 这里也可能出现复制/粘贴错误?

$stmt->execute(array(':username' => $uname, ':email' => $uname, ':password' => $pword, ':isactive' => $isActive));

答案 2 :(得分:0)

尝试

SELECT * FROM user WHERE (username = :username OR email = :email) AND password = :password AND isactive = :isactive"

作为查询...应该工作......