对于PHP而言,我几乎是一个完全的初学者,并且在对数据库进行哈希处理后,我的登录和重定向脚本出现了一些问题。当我尝试登录并且找不到问题时,继续保持帐户未找到页面。
一些背景信息:
数据库名称:“user”
表“用户”,其中包含用户ID,用户名,密码,电子邮件地址,优惠等列。
我正在努力的网站允许用户完成许多优惠,然后在完成后获得奖励。商品列的默认值为“1”,商品完成后会通过脚本进行更新。登录后,将根据商品列中的值重定向用户。 (因此,首次登录用户被重定向到example.com/offer1,在商品1完成后,此值将更新,以便下次登录用户重定向到提供2 - 实质上存储用户进度)
无论如何,登录工作正常但是使用md5,改为crypt()而改变了登录脚本,但事情出了问题。现在,当我尝试登录时,我被定向到错误,该帐户无法找到页面。 - 当我检查数据库并且帐户在那里时。如果有些人可以查看我的登录代码并指出我哪里出错了,我将非常感激。
这是我用来散列密码的脚本 - 我跑了一次。看起来像我在DB中看到的那样工作所有密码似乎都被哈希了。
<?php
$con = mysqli_connect("localhost","name","pass","user");
function Casual($length=22){
$characters ="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890";
$code = "";
for($i = 0; $i<$length; $i++){
$code = $code.substr($characters,rand(0,strlen($characters)-1),1);
}
return $code;
}
$query = mysqli_query($con,"SELECT Password,Username FROM users");
while($assoc = mysqli_fetch_assoc($query)){
$newcode= '$2a$07$'.Casual(22).'$';
$hashed_password = crypt($assoc['Password'],$newcode);
mysqli_query($con,"UPDATE users SET Password='".$hashed_password."' WHERE Username='".$assoc['Username']."'");
}
?>
这是登录代码:
<?php include "base.php"; ?>
<!DOCTYPE html PUBLIC "
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Login to Cash Offers</title>
<link rel="stylesheet" href="style.css" type="text/css" />
</head>
<body>
<div id="main">
<?php
$con = mysqli_connect("localhost","user","pass","user");
if(!empty($_SESSION['LoggedIn']) && !empty($_SESSION['Username']))
{
?>
echo '<meta http-equiv="refresh" content="0;URL=\'http://example.com/'.$row['offer'].'\'" />';
<ul>
<li><a href="logout.php">Logout.</a></li>
</ul>
<?php
}
elseif(!empty($_POST['username']) && !empty($_POST['password']))
{
$username = mysqli_real_escape_string($_POST['username']);
$password = md5(mysqli_real_escape_string($_POST['password']));
$checklogin = mysqli_query($con,"SELECT * FROM users WHERE Username = '".$username."'");
$row = mysqli_fetch_array($checklogin);
if(mysqli_num_rows($checklogin) == 1 AND crypt($password, $row['Password']) == $row['Password'])
{
$email = $row['EmailAddress'];
$_SESSION['Username'] = $username;
$_SESSION['EmailAddress'] = $email;
$_SESSION['LoggedIn'] = 1;
echo "<h1>Success</h1>";
echo "<p>We are now redirecting you to the member area.</p>";
echo '<meta http-equiv="refresh" content="0;URL=\'http://example.com/'.$row['offer'].'\'" />';
}
else
{
echo "<h1>Error</h1>";
echo "<p>Sorry, your account could not be found. Please <a href=\"index.php\">click here to try again</a>.</p>";
}
}
else
{
?>
<h1>Member Login</h1>
<p>Your just a few seconds away from completing offers! Please either login below, or <a href="register.php">click here to register</a>.</p>
<form method="post" action="index.php" name="loginform" id="loginform">
<fieldset>
<label for="username">Username:</label><input type="text" name="username" id="username" /><br />
<label for="password">Password:</label><input type="password" name="password" id="password" /><br />
<input type="submit" name="login" id="login" value="Login" />
</fieldset>
</form>
<?php
}
?>
</div>
</body>
</html>
在上面,登录时或者如果会话已经存在,脚本会在数据库中查找商品值并根据值重定向。 (如果默认为1,重定向到example.com/offer 1;如果是2然后是example.com/offer2等)我认为这里没有问题,因为它甚至没有尝试重定向 - 只是说没有找到用户。是否存在散列密码未正确读取的问题?
这是Error.Sorry,找不到您的帐户..位已关闭
Heres'base.php
<?php
session_start();
$dbhost = "localhost"; // this will ususally be 'localhost', but can sometimes differ
$dbname = "user"; // the name of the database that you are going to use for this project
$dbuser = "name"; // the username that you created, or were given, to access your database
$dbpass = "pass"; // the password that you created, or were given, to access your database
mysql_connect($dbhost, $dbuser, $dbpass) or die("MySQL Error: " . mysql_error());
mysql_select_db($dbname) or die("MySQL Error: " . mysql_error());
?>
这也是我的注册脚本
<?php include "base.php"; ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Register </title>
<link rel="stylesheet" href="style.css" type="text/css" />
</head>
<body>
<div id="main">
<?php
if(!empty($_POST['username']) && !empty($_POST['password']))
{
$username = mysql_real_escape_string($_POST['username']);
$password = md5(mysql_real_escape_string($_POST['password']));
$email = mysql_real_escape_string($_POST['email']);
$checkusername = mysql_query("SELECT * FROM users WHERE Username = '".$username."'");
if(mysql_num_rows($checkusername) == 1)
{
echo "<h1>Error</h1>";
echo "<p>Sorry, that username is taken. Please go back and try again.</p>";
}
else
{
$registerquery = mysql_query("INSERT INTO users (Username, Password, EmailAddress) VALUES('".$username."', '".$password."', '".$email."')");
if($registerquery)
{
echo "<h1>Success</h1>";
echo "<p>Your account was successfully created. Please <a href=\"index.php\">click here to login</a>.</p>";
}
else
{
echo "<h1>Error</h1>";
echo "<p>Sorry, your registration failed. Please go back and try again.</p>";
}
}
}
else
{
?>
<h1>Register</h1>
<p>Please enter your details below to register.</p>
<form method="post" action="register.php" name="registerform" id="registerform">
<fieldset>
<label for="username">Username:</label><input type="text" name="username" id="username" /><br />
<label for="password">Password:</label><input type="password" name="password" id="password" /><br />
<label for="email">Email Address:</label><input type="text" name="email" id="email" /><br />
<input type="submit" name="register" id="register" value="Register" />
</fieldset>
</form>
<?php
}
?>
</div>
</body>
</html>
最后这里是更新表格中的报价值的脚本 - 此报价在报价2完成后触发,并按下“继续下一个报价”。
<?php
session_start();
$con = mysqli_connect("localhost","name","pass","user");
$select = mysqli_fetch_assoc(mysqli_query($con,"SELECT offer FROM users WHERE Username = '".$_SESSION['username']."'"));
$plus = $select['offer']++;
mysqli_query($con,"UPDATE users SET offer=2".$plus);
header("location: http://example.com/offer3".$plus);
?>
非常感谢你的时间!
答案 0 :(得分:1)
此代码是您找不到帐户的原因&#34;:
if(mysqli_num_rows($checklogin) == 1 AND crypt($password, $row['Password']) == $row['Password'])
{
//Good
}
else
{
//Not found
}
如果您发现帐户和密码匹配,则您只会进入第一个条件。您找不到帐户时没有定义条件,但密码不匹配。
要像你想要的那样工作,你可以这样做:
if(mysqli_num_rows($checklogin) == 1)
{
if(crypt($password, $row['Password']) == $row['Password'])
{
//Good
}
else
{
//Bad password
}
}
else
{
//Not found
}
那说;请注意,通常不一个好主意,以表明登录失败的原因;你会告诉任何潜在的密码破解者他们的用户名不存在,从而消除了他们的大部分工作。标准是做你现在拥有的,但只是给出这样的信息:
用户名或密码不正确。
另外,我担心这仍然无法奏效;看起来你已经散列了已经散列的密码;现在要获得比赛,你必须使用MD5,然后是crypt,因为那是你获得当前哈希的方式。