我想建立一个拥有安全登录页面的网站(无需注册,我通过数据库添加用户)。登录后,它只是一个过滤器,显示来自JSON文件的一些数据,就像在电子商务网站上过滤产品一样。 因为我是初学者,所以我正在学习,当时我很熟悉Bootstrap,JQuery和HTML交互,我学得很快,所以请原谅我可能非常愚蠢的错误。
因为我喜欢Bootstrap& JQuery我放弃使用PHP从MySQL DB获取主网站的数据,所以我现在只将它用于登录表单。我希望它是安全的,我不知道我是如何从这里实现的:http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL
现在我对PHP和JS的交互方式没有什么困难。这是我的index.php文件:
<?php
include_once 'includes/db_connect.php';
include_once 'includes/functions.php';
sec_session_start();
if (login_check($mysqli) == true) {
$logged = 'in';
} else {
$logged = 'out';
}
?>
<!DOCTYPE html>
<html>
<head>
<title>Secure Login: Log In</title>
<script type="text/JavaScript" src="js/sha512.js"></script>
<script type="text/JavaScript" src="js/forms.js"></script>
<link href="css/bootstrap.css" media="screen" rel="stylesheet" type="text/css">
<link href="css/index.css" media="screen" rel="stylesheet" type="text/css">
<link href="css/jquery-ui-1.10.2.custom.min.css" media="screen" rel="stylesheet" type="text/css">
<script src="js/jquery-1.11.1.min.js" type="text/javascript"></script>
<script src="js/jquery-ui-1.10.2.custom.min.js" type="text/javascript"></script>
<script src="js/bootstrap.js" type="text/javascript"></script>
<script src="js/login.js" type="text/javascript"></script>
</head>
<body>
<?php
/*
if (isset($_GET['error'])) {
echo '<p class="error">Error Logging In!</p>';
}
*/ ?>
<div class="container">
<div class="row">
<div class="col-sm-6 col-md-4 col-md-offset-4">
<div class="panel">
<h1 class="text-center login-title">Log in</h1>
<form class="form-signin" action="includes/process_login.php" method="post" name="login_form">
<input type="text" name="email" class="form-control" placeholder="User" required autofocus>
<input type="password" name="password" id="password" class="form-control" placeholder="Parola" required>
<button class="btn btn-lg btn-primary btn-block" type="submit" >
Login</button>
</form>
</div>
</div>
</div>
</div>
<div class="userpass-error">
<div class="col-sm-6 col-md-4 col-md-offset-4 alert alert-danger">
<a href="#" class="close" data-dismiss="alert">×</a>
Wrong username and password!
</div>
</div>
</body>
</html>
这是登录部分,正如我从教程中所做的那样:
function login($email, $password, $mysqli) {
// Using prepared statements means that SQL injection is not possible.
if ($stmt = $mysqli->prepare("SELECT id, username, password, salt
FROM members
WHERE email = ?
LIMIT 1")) {
$stmt->bind_param('s', $email); // Bind "$email" to parameter.
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
// get variables from result.
$stmt->bind_result($user_id, $username, $db_password, $salt);
$stmt->fetch();
// hash the password with the unique salt.
$password = hash('sha512', $password . $salt);
if ($stmt->num_rows == 1) {
// If the user exists we check if the account is locked
// from too many login attempts
if (checkbrute($user_id, $mysqli) == true) {
// Account is locked
// Send an email to user saying their account is locked
return false;
} else {
// Check if the password in the database matches
// the password the user submitted.
if ($db_password == $password) {
// Password is correct!
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
// XSS protection as we might print this value
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
$_SESSION['user_id'] = $user_id;
// XSS protection as we might print this value
$username = preg_replace("/[^a-zA-Z0-9_\-]+/",
"",
$username);
$_SESSION['username'] = $username;
$_SESSION['login_string'] = hash('sha512',
$password . $user_browser);
// Login successful.
return true;
} else {
// Password is not correct
// We record this attempt in the database
$now = time();
$mysqli->query("INSERT INTO login_attempts(user_id, time)
VALUES ('$user_id', '$now')");
return false;
}
}
} else {
// No user exists.
return false;
}
}
}
现在我的问题是隐藏了索引文件中的警告userpass-wrong,我希望在用户名/密码组合错误时显示它。基本上是在:
之后// Password is not correct
// We record this attempt in the database
我想添加类似:$('.userpass-error').show();
现在代码没有执行,我已经搜索了它应该如何完成,但每个答案都非常不同,人们在推荐不同的方法。使用echo“......”似乎是最受欢迎的,但有些人反对它。
对我来说,最好的方法是什么?