Question

我是PHP编程的新手，并且有一个简单的程序，我有一个索引页面，可以接受用户名和密码。如果用户不存在或提供了错误的凭据，那么我想再次显示索引页面并显示错误消息。以下是我目前在index.html上的内容：

<!DOCTYPE html>
<html lang="en">

<head>

    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <meta name="description" content="">
    <meta name="author" content="Bella" >

    <title>Company Name - Log In</title>

    <!-- Bootstrap Core CSS -->
    <link href="css/bootstrap.min.css" rel="stylesheet">

    <!-- Custom CSS -->
    <link href="css/custom.css" rel="stylesheet">

    <!-- HTML5 Shim and Respond.js IE8 support of HTML5 elements and media queries -->
    <!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
    <!--[if lt IE 9]>
        <script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
        <script src="https://oss.maxcdn.com/libs/respond.js/1.4.2/respond.min.js"></script>
    <![endif]-->

</head>

<body>

    <div id="fullscreen_bg" class="fullscreen_bg"/>

<div class="container">

    <form class="form-signin" action="loginAction.php" method="post">
        <h1 class="form-signin-heading text-muted">Log In</h1>
        <input type="text" name="email" class="form-control" placeholder="Email address" required="" autofocus="">
        <input type="password" name="password" class="form-control" placeholder="Password" required="">
        <button class="btn btn-lg btn-primary btn-block" type="submit">
            Log In
        </button>
    <a href="register.html" class="btn btn-md btn-warning btn-block">Register</a>       
    </form>

</div>
    <!-- /.container -->

    <!-- jQuery -->
    <script src="js/jquery.js"></script>

    <!-- Bootstrap Core JavaScript -->
    <script src="js/bootstrap.min.js"></script>

    <!-- Script to Activate the Carousel -->
    <script>
    $('.carousel').carousel({
        interval: 5000 //changes the speed
    })
    </script>

</body>

</html>

我的LoginAction.php是：

<?php

ini_set('display_errors',1);
error_reporting(E_ALL);

//Set the Post results to variables
$email = $_POST("email");
$password = md5($_POST("password"));

//Get the database username, passwords, etc.
include('config.php');

// Create connection with the server
$conn = mysqli_connect($servername, $username, $password, $dbname);

// Check connection
if (!$conn) {
    die("Connection failed: " . mysqli_connect_error());
}

//Check for user
$sql = "SELECT * FROM users WHERE  email=" . $email . " AND password=" . $password . "";
$result = mysqli_query($conn, $sql);

if (mysqli_num_rows($result) > 0) {
    // output data of each row
    while($row = mysqli_fetch_assoc($result)) {
          mysqli_close($conn);
          session_start();
          $_SESSION['email'] = $row['email'];
          $_SESSION['id'] = $row['id'];
          $_SESSION['admin'] = true; //user is authenticated and the user is admin
          header"portal.php"; //redirect to another page

    }
} 
else {
    mysqli_close($conn);
    echo "<div class='alert alert-warning'>No User Found</div>";
    //header("Location: http://example.com/myOtherPage.php");
    //header"portal.php"; //redirect to another page
   include"index.html";
}

?>

目前显示空白的LoginAction.php

Answer 1

首先，我建议您使用会话将session_start();放在所有文件的顶部。

如果DB中出现错误，它会抛出已发送通知的标头，因为这会被视为outputting before header。

您的值仍然缺少引号

$sql = "SELECT * FROM users WHERE  email=" . $email . " AND password=" . $password . "";
                                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

其中应为：

$sql = "SELECT * FROM users WHERE  email= '" . $email . "' AND password= '" . $password . "'";

使用错误检查后，会抛出语法错误。

您还提前关闭了连接：

while($row = mysqli_fetch_assoc($result)) {
          mysqli_close($conn);
          ^^^^^^^^^^^^^^^^^^^^

我建议您删除它（MySQL会在查询完成后自动关闭它），或者在代码执行后移动它。

然后这些：

$email = $_POST("email");
$password = md5($_POST("password"));

那些应该是方括号。

$email = $_POST["email"];
$password = md5($_POST["password"]);

使用以下方法检查错误：

$result = mysqli_query($conn, $sql) or die(mysqli_error($conn));

http://php.net/manual/en/mysqli.error.php

关于MD5的旁注。

这是一种陈旧且不安全的散列方法。阅读以下有关它的文章：

我建议您使用CRYPT_BLOWFISH或PHP 5.5＆＃39 {s} password_hash()功能。对于PHP＆lt; 5.5使用password_hash() compatibility pack。

另外，我还建议您使用mysqli with prepared statements或PDO with prepared statements，他们更安全。

您现有的代码向SQL injection开放。

header"portal.php";

缺少＆＃34;位置：＆＃34;和括号：

header("Location: portal.php");

根据手册：

http://php.net/manual/en/function.header.php

并在每个标头后添加exit;。否则，您的代码将继续执行。

Answer 2

您发布变量，不应该是以下内容：

$email = $_POST["email"];
$password = md5($_POST["password"]);

Answer 3

你的“别人”应该是这样的：

[...]
else{
  mysqli_close($conn);
  echo "<div class='alert alert-warning'>No User Found</div>";
  header("Location: http://localhost/yourProject/index.html"); // here you have to put the correct url for your index.html
}

单击按钮时重定向PHP

3 个答案: