使用php和mysql登录系统?卡住了,不会工作

时间:2014-12-10 14:58:13

标签: php html mysql

我已经创建了一个使用会话启动的登录系统并将其放到我的网站上,但是即使没有输入任何内容并且将它们添加到数据库中它只是看起来任何人,这个代码有什么问题?我甚至无法验证它的工作它出现空白并仍然登录.connection.php包括session_start()和数据库连接

loginform.php 

<link rel="stylesheet" href="homecss.css"/>
<div id="form">
<h2>Login</h2>
<form method="post" action="loginSubmit.php">
User Name: <br/>
<input type="name" name="username" type="text" /><br />
Password: <br/>
<input id="password" name="password" type="password" /><br />
<input type="submit" name="logsubmit" value="Login" />
</form></div>

的login.php 

<link rel="stylesheet" href="homecss.css"/>
<?php
include './connection.php';
?>
<div id="form">
<?php

if(!isset($_SESSION['authenticatedusername'])){
include './loginform.php'; 
if (!empty($_POST["username"])) {
echo "Username is required";
}
if (!empty($_POST["password"])) {
echo "Password is required";
}
}
else{  
echo 'welcome   '. $_SESSION['authenticatedusername'];
echo '<br/><a href ="logout.php"> logout </a>';
echo '<br/><a href ="account.php"> My account </a>';

}

if (isset($_SESSION['message'])){
echo $_SESSION['message']="login failed";
}

?>
</div>

loginsubmit.php 

<?php
include "./connection.php";
if(isset($_POST['logsubmit'])){
$user=$_POST['username'];
$pass=$_POST['password'];
$query= "SELECT * FROM users WHERE user_name='$user' AND user_password='$pass'";
$result=mysqli_query($connection, $query);

if ($row = mysqli_fetch_assoc($result)){
$_SESSION['authenticatedusername']=$user;
header ("Location: homepage.php");

} else{
echo 'Login Failed';
header("Location: homepage.php");
}
}

2 个答案:

答案 0 :(得分:1)

你可以让它变得更简单:

首页无需包含连接,显示表单或注销按钮:

<?php
session_start();//move this to the top of the page
if(!isset($_SESSION['authenticatedusername'])){
    include './loginform.php'; 
}
else{  
    echo '<br/><a href ="logout.php"> logout </a>';
    echo '<br/><a href ="account.php"> My account </a>';
}

<强> loginSubmit.php

使用prepared语句,以避免SQL注入

<?php
session_start();
include './connection.php';
if(isset($_POST['logsubmit'], $_POST['username'], $_POST['password'])){
    /* check connection */
    if (mysqli_connect_errno()) {
        printf("Connect failed: %s\n", mysqli_connect_error());
        exit();
    }
    /* query*/
    $sql = "SELECT user_name, user_password 
            FROM users 
            WHERE user_name=? AND user_password=?";
    /* create a prepared statement */
    if ($stmt = mysqli_prepare($connection, $sql)) {
        /* bind parameters for markers */
        mysqli_stmt_bind_param($stmt, "ss", $_POST['username'], $_POST['password']);
        /* execute query */
        mysqli_stmt_execute($stmt);
        /*check for count*/
        if ($row = mysqli_num_rows($stmt) >0){
            /* bind result variables */
            mysqli_stmt_bind_result($stmt, $district);
            /* fetch value */
            mysqli_stmt_fetch($stmt);   
            //printf("username = %s | password = %s\n", $username, $password);
            $_SESSION['authenticatedusername'] = $username;
        }else{
            echo "user not found";
        }
        /* close statement */
        mysqli_stmt_close($stmt);
    }
    /* close connection */
    mysqli_close($connection);

    if (isset($_SESSION['authenticatedusername'])){
        header ("Location: homepage.php");
    } else{
        header ("Location: login.php");//go back to login
        //you can send errors back or do something.
    }
}

如果您正在寻求改进,请不要以明文形式存储密码。

阅读Safe Password Hashing

相反,您创建了一个存储Hashes的字段,您可以像这样填充它:

$hash = password_hash($_POST['password'], PASSWORD_DEFAULT);

你可以使用自己的盐,但这很好:

然后当你查询时检查一下:

#get hash value from db and store it in $hash
if (password_verify($_POST['password'], $hash)) {
    // Success!
}
else {
    // Fail !
}

最后的建议如果你想改进,可以使用mysqli的面向对象样式,并使用函数和类。请阅读OOP。

你可以看看PDO (PHP Data Objects)。它更容易使用,更灵活。

答案 1 :(得分:0)

您的loginform.php与默认相同

  

loginsubmit.php 

<?php
 include "./connection.php";
 if(isset($_POST['logsubmit'])){
    $user=$_POST['username'];
    $pass=$_POST['password'];
    $query= "SELECT * FROM users WHERE user_name='".$user."' AND user_password='".$pass."'";
    $result=mysqli_query($connection, $query);

    if($result != ''){
    $_SESSION['authenticatedusername']=$user;
       header ("Location: homepage.php");
    } else{
       echo 'Login Failed';
       header("Location: homepage.php");
    }
}
?>
  

homepage.php 

<?php
session_start();
if($_SESSION['authenticatedusername'] == ''){
    header('Location:loginform.php'); 
}
else{  
    echo '<br/><a href ="logout.php"> logout </a>';
    echo '<br/><a href ="account.php"> My account </a>';
}
?>
  

logout.php 

<?php
ob_start();
session_start();
session_destroy();
header('Location:loginform.php');
exit();
?>
相关问题
最新问题