我的代码检查数据库中是否存在用户名,但是如果密码不正确或为空,用户仍然可以登录(重定向到welcome.php)。我如何实现它以便密码必须正确以及用户名?
<?php
if($_SERVER['REQUEST_METHOD'] === 'POST'){
$servername = "localhost";
$username = "root";
$password = "root";
$dbname = "logreg";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$user = $conn->real_escape_string(htmlspecialchars(trim($_POST['username'])));
$query = "SELECT `username` FROM `users` WHERE `username` = '$user'";
$result = $conn->query($query);
if($result->num_rows > 0) {
header('Location:welcome.php');
die();
}
else $message = 'user does not exist';
}
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Log In</title>
<link type="text/css" rel="stylesheet" href="css/bootstrap.css"/>
<link type="text/css" rel="stylesheet" href="css/bootstrap.min.css"/>
<link type="text/css" rel="stylesheet" href="css/bootstrap-theme.css"/>
<link type="text/css" rel="stylesheet" href="css/bootstrap-theme.min.css"/>
<link type="text/css" rel="stylesheet" href="css/styles.css"/>
<link href='http://fonts.googleapis.com/css?family=Open+Sans' rel='stylesheet' type='text/css'>
</head>
<body>
<div class="header">
<div class="body">
<div id="loginbox" class="mainbox col-md-6 col-md-offset-3 col-sm-8 col-sm-offset-2">
<div class="panel">
<div class="panel-heading">
<div class="panel-title"><h1>Sign In</h1></div>
<div style="float:right; font-size: 80%; position: relative; top:-10px"><a href="passreset.html">Forgot password?</a></div>
</div>
<div style="padding-top:30px" class="panel-body" >
<div style="display:none" id="login-alert" class="alert alert-danger col-sm-12"></div>
<form id="loginform" class="form-horizontal" role="form" action = "index.php" method = "post" enctype="multipart/form-data">
<h4><?php if(isset($message)) : ?>
<div class="error"><?php echo $message; ?></div>
<?php endif; ?></h4>
<div style="margin-bottom: 25px" class="input-group">
<span class="input-group-addon"><i class="glyphicon glyphicon-user"></i></span>
<input id="username" type="text" class="form-control" name="username" value="" placeholder="username"> </div>
<div style="margin-bottom: 25px" class="input-group">
<span class="input-group-addon"><i class="glyphicon glyphicon-lock"></i></span>
<input id="login-password" type="password" class="form-control" name="password" placeholder="password">
</div>
<div class="input-group">
<div class="checkbox">
<label>
<input id="login-remember" type="checkbox" name="remember" value="1"> Remember me
</label>
</div>
<div style="margin-top:10px" class="form-group">
<!-- Button -->
<div class="col-sm-12 controls">
<input type = "submit" value = "Log In"></a>
</div>
</div>
</div>
<div class="form-group">
<div class="col-md-12 control">
<div style="border-top: 1px solid#888; padding-top:15px; font-size:85%">
Don't have an account!
<a href="register.html" onClick="$('#loginbox').hide(); $('#signupbox').show()">
Sign Up Here
</a>
</div>
</div>
</div>
</form>
</div>
</div>
</div>
<div style="border-top: 1px solid #999; padding-top:20px" class="form-group">
</div>
</form>
</div>
</div>
</div>
</div>
</body>
</html>
答案 0 :(得分:2)
检查密码
$query = "SELECT `username` AND `password` FROM `users` WHERE `username` = '$user' and password = '$password'";
但我建议密码存储为加密字符串(请阅读下面的评论)。
所以你这样做
$password = function_that_encrypts($password);
$query = "SELECT `username` AND `password` FROM `users` WHERE `username` = '$user' and password = '$password'";
使用prepared statements或PDO with prepared statements,他们更安全。
我建议您使用CRYPT_BLOWFISH或PHP 5.5&#39 {s} password_hash()
功能
对于PHP&lt; 5.5使用password_hash() compatibility pack
。
答案 1 :(得分:0)
您使用的查询仅根据用户名进行选择。您还需要通过将密码添加到WHERE子句来检查密码。
根据您所拥有的内容,您需要执行以下操作:
$user = $conn->real_escape_string(htmlspecialchars(trim($_POST['username'])));
$pass = $conn->real_escape_string(htmlspecialchars(trim($_POST['password'])));
$query = "SELECT `username` AND `password` FROM `users` WHERE `username` = '$user' AND `password` = '$pass'";
显然,您需要在存储密码之前对密码运行任何进程。我希望你没有以纯文本形式存储密码。