如何创建用户个人资料链接?

时间:2016-02-06 23:48:40

标签: php

我有一个profile.php,它回应我想要的用户信息。在google上搜索并观看了一些教程之后,我陷入困境。我希望在我的网站上注册的每个用户都能获得一个配置文件(唯一),即每个人都可以访问。我计划使用的链接是example.com/user/id,其中“id”将替换为您要查看的用户个人资料的ID。

Register.php     

    // This if statement checks to determine whether the registration form has been submitted 
    // If it has, then the registration code is run, otherwise the form is displayed 
    if(!empty($_POST)) 
    { 
        // Ensure that the user has entered a non-empty username 
        if(empty($_POST['username'])) 
        { 
            // Note that die() is generally a terrible way of handling user errors 
            // like this.  It is much better to display the error with the form 
            // and allow the user to correct their mistake.  However, that is an 
            // exercise for you to implement yourself. 
            die("<div class='red'>Please enter a username.</div>"); 
        } 

        // Ensure that the user has entered a non-empty password 
        if(empty($_POST['password'])) 
        { 
            die("<div class='red'>Please enter a password.</div>"); 
        } 

        // Make sure the user entered a valid E-Mail address 
        // filter_var is a useful PHP function for validating form input, see: 
        // http://us.php.net/manual/en/function.filter-var.php 
        // http://us.php.net/manual/en/filter.filters.php 
        if(!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) 
        { 
            die("<div class='red'>Invalid E-Mail Address</div>"); 
        } 

        // We will use this SQL query to see whether the username entered by the 
        // user is already in use.  A SELECT query is used to retrieve data from the database. 
        // :username is a special token, we will substitute a real value in its place when 
        // we execute the query. 
        $query = " 
            SELECT 
                1 
            FROM users 
            WHERE 
                username = :username 
        "; 

        // This contains the definitions for any special tokens that we place in 
        // our SQL query.  In this case, we are defining a value for the token 
        // :username.  It is possible to insert $_POST['username'] directly into 
        // your $query string; however doing so is very insecure and opens your 
        // code up to SQL injection exploits.  Using tokens prevents this.
        // For more information on SQL injections, see Wikipedia: 
        // http://en.wikipedia.org/wiki/SQL_Injection 
        $query_params = array( 
            ':username' => $_POST['username'] 
        ); 

        try 
        { 
            // These two statements run the query against your database table. 
            $stmt = $db->prepare($query); 
            $result = $stmt->execute($query_params); 
        } 
        catch(PDOException $ex) 
        { 
            // Note: On a production website, you should not output $ex->getMessage(). 
            // It may provide an attacker with helpful information about your code.  
            die("<div class='red'>Failed to run query: </div>" . $ex->getMessage()); 
        } 

        // The fetch() method returns an array representing the "next" row from 
        // the selected results, or false if there are no more rows to fetch. 
        $row = $stmt->fetch(); 

        // If a row was returned, then we know a matching username was found in 
        // the database already and we should not allow the user to continue. 
        if($row) 
        { 
            die("<div class='red'>This username is already in use</div>"); 
        } 

        // Now we perform the same type of check for the email address, in order 
        // to ensure that it is unique. 
        $query = " 
            SELECT 
                1 
            FROM users 
            WHERE 
                email = :email 
        "; 

        $query_params = array( 
            ':email' => $_POST['email'] 
        ); 

        try 
        { 
            $stmt = $db->prepare($query); 
            $result = $stmt->execute($query_params); 
        } 
        catch(PDOException $ex) 
        { 
            die("<div class='red'>Failed to run query: </div>" . $ex->getMessage()); 
        } 

        $row = $stmt->fetch(); 

        if($row) 
        { 
            die("<div class='red'>This email address is already registered</div>"); 
        } 

        // An INSERT query is used to add new rows to a database table. 
        // Again, we are using special tokens (technically called parameters) to 
        // protect against SQL injection attacks. 
        $query = " 
            INSERT INTO users ( 
                username, 
                password, 
                salt, 
                email 
            ) VALUES ( 
                :username, 
                :password, 
                :salt, 
                :email 
            ) 
        "; 

        // A salt is randomly generated here to protect again brute force attacks 
        // and rainbow table attacks.  The following statement generates a hex 
        // representation of an 8 byte salt.  Representing this in hex provides 
        // no additional security, but makes it easier for humans to read.
        // For more information: 
        // http://en.wikipedia.org/wiki/Salt_%28cryptography%29 
        // http://en.wikipedia.org/wiki/Brute-force_attack 
        // http://en.wikipedia.org/wiki/Rainbow_table 
        $salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647)); 

        // This hashes the password with the salt so that it can be stored securely 
        // in your database.  The output of this next statement is a 64 byte hex 
        // string representing the 32 byte sha256 hash of the password.  The original 
        // password cannot be recovered from the hash.  For more information: 
        // http://en.wikipedia.org/wiki/Cryptographic_hash_function 
        $password = hash('sha256', $_POST['password'] . $salt); 

        // Next we hash the hash value 65536 more times.  The purpose of this is to 
        // protect against brute force attacks.  Now an attacker must compute the hash 65537 
        // times for each guess they make against a password, whereas if the password 
        // were hashed only once the attacker would have been able to make 65537 different  
        // guesses in the same amount of time instead of only one. 
        for($round = 0; $round < 65536; $round++) 
        { 
            $password = hash('sha256', $password . $salt); 
        } 

        // Here we prepare our tokens for insertion into the SQL query.  We do not 
        // store the original password; only the hashed version of it.  We do store 
        // the salt (in its plaintext form; this is not a security risk). 
        $query_params = array( 
            ':username' => $_POST['username'], 
            ':password' => $password, 
            ':salt' => $salt, 
            ':email' => $_POST['email'] 
        ); 

        try 
        { 
            // Execute the query to create the user 
            $stmt = $db->prepare($query); 
            $result = $stmt->execute($query_params); 
        } 
        catch(PDOException $ex) 
        { 
            // Note: On a production website, you should not output $ex->getMessage(). 
            // It may provide an attacker with helpful information about your code.  
            die("<div class='red'>Failed to run query:</div> " . $ex->getMessage()); 
        } 

        // This redirects the user back to the login page after they register 
        header("Location: /login"); 

        // Calling die or exit after performing a redirect using the header function 
        // is critical.  The rest of your PHP script will continue to execute and 
        // will be sent to the user if you do not die or exit. 
        die("Redirecting to /login"); 
    } 

?> 

的login.php

<?php 
    // This variable will be used to re-display the user's username to them in the 
    // login form if they fail to enter the correct password.  It is initialized here 
    // to an empty value, which will be shown if the user has not submitted the form. 
    $submitted_username = ''; 

    // This if statement checks to determine whether the login form has been submitted 
    // If it has, then the login code is run, otherwise the form is displayed 
    if(!empty($_POST)) 
    { 
        // This query retreives the user's information from the database using 
        // their username. 
        $query = " 
            SELECT 
                id, 
                username, 
                password, 
                salt, 
                email,
                bio,
                warnings,
                clan,
                timestamp,
                title,
            FROM users 
            WHERE 
                username = :username 
        "; 

        // The parameter values 
        $query_params = array( 
            ':username' => $_POST['username'] 
        ); 

        try 
        { 
            // Execute the query against the database 
            $stmt = $db->prepare($query); 
            $result = $stmt->execute($query_params); 
        } 
        catch(PDOException $ex) 
        { 
            // Note: On a production website, you should not output $ex->getMessage(). 
            // It may provide an attacker with helpful information about your code.  
            die("<div class='red'>Failed to run query: </div>" . $ex->getMessage()); 
        } 

        // This variable tells us whether the user has successfully logged in or not. 
        // We initialize it to false, assuming they have not. 
        // If we determine that they have entered the right details, then we switch it to true. 
        $login_ok = false; 

        // Retrieve the user data from the database.  If $row is false, then the username 
        // they entered is not registered. 
        $row = $stmt->fetch(); 
        if($row) 
        { 
            // Using the password submitted by the user and the salt stored in the database, 
            // we now check to see whether the passwords match by hashing the submitted password 
            // and comparing it to the hashed version already stored in the database. 
            $check_password = hash('sha256', $_POST['password'] . $row['salt']); 
            for($round = 0; $round < 65536; $round++) 
            { 
                $check_password = hash('sha256', $check_password . $row['salt']); 
            } 

            if($check_password === $row['password']) 
            { 
                // If they do, then we flip this to true 
                $login_ok = true; 
            } 
        } 

        // If the user logged in successfully, then we send them to the private members-only page 
        // Otherwise, we display a login failed message and show the login form again 
        if($login_ok) 
        { 
            // Here I am preparing to store the $row array into the $_SESSION by 
            // removing the salt and password values from it.  Although $_SESSION is 
            // stored on the server-side, there is no reason to store sensitive values 
            // in it unless you have to.  Thus, it is best practice to remove these 
            // sensitive values first. 
            unset($row['salt']); 
            unset($row['password']); 

            // This stores the user's data into the session at the index 'user'. 
            // We will check this index on the private members-only page to determine whether 
            // or not the user is logged in.  We can also use it to retrieve 
            // the user's details. 
            $_SESSION['user'] = $row; 

            // Redirect the user to the private members-only page. 
            header("Location: /"); 
            die("Redirecting to: /"); 
        } 
        else 
        { 
            // Tell the user they failed 
            print("<div class='red'>Login Failed.</div>"); 

            // Show them their username again so all they have to do is enter a new 
            // password.  The use of htmlentities prevents XSS attacks.  You should 
            // always use htmlentities on user submitted values before displaying them 
            // to any users (including the user that submitted them).  For more information: 
            // http://en.wikipedia.org/wiki/XSS_attack 
            $submitted_username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8'); 
        } 
    } 

?> 

Profile.php

<!DOCTYPE html>
<html>
<head>
<!--START HEAD-->
    <?php include 'head.php'; ?>
    <link rel='stylesheet' type='text/css' href="/profile.css"/>

    <title><?php print htmlentities($_SESSION['user']['username'], ENT_QUOTES, 'UTF-8'); ?>'s profile</title>
<!--END HEAD-->
</head>
<body>
<!--START BODY-->
<?php
    // At the top of the page we check to see whether the user is logged in or not 
    if(empty($_SESSION['user'])) 
    { 
        include'navigationbar.php';
    } else {
        include'navigationbar2.php';
    }
?>
<!--MAIN CONTENT-->
<div class="movedown"></div>
<div class="content">

<!--MAIN PROFILE-->
<div class="username">
<?php if(empty($_SESSION['user']['clan'])){
    print "";
}else{
    print "[".htmlentities($_SESSION['user']['clan'], ENT_QUOTES, 'UTF-8')."]";} ?>


<?php print htmlentities($_SESSION['user']['username'], ENT_QUOTES, 'UTF-8'); ?>
<div class="fr">ID: <?php print htmlentities($_SESSION['user']['id'], ENT_QUOTES, 'UTF-8'); ?></div></div>
<div class="spacing"></div>


<div class="fl">
<!--AVATAR-->
<div class="avatarback">
    <div class="avatar"><img src="/profile/avatar/default.jpg" width="180px"/></div>
</div>



<!--TITLES / SIGNS-->
<div class="signs"><br/>
    <div class="title"><div class="fl">Title:       </div>
<div class="fr"><?php print htmlentities($_SESSION['user']['title'], ENT_QUOTES, 'UTF-8'); ?>       </div></div><!--TITLE-->
        <div class="spacing"></div>


    <div class="warnings"><div class="fl">Warnings: </div>
<div class="fr"><?php print htmlentities($_SESSION['user']['warnings'], ENT_QUOTES, 'UTF-8'); ?>    </div></div><!--WARNINGS-->
        <div class="spacing"></div> 


    <div class="joined"><div class="fl">Joined:     </div>
<div class="fr"><?php print htmlentities($_SESSION['user']['timestamp'], ENT_QUOTES, 'UTF-8'); ?>   </div></div><!--JOINED-->
</div>
</div>



<div class="padding"></div>

<!--BIO-->
<div class="bioback">
<?php if(empty($_SESSION['user']['bio'])){
    print "This user has not set any bio yet...";
}else{
    print htmlentities($_SESSION['user']['bio'], ENT_QUOTES, 'UTF-8');} ?>
</div>


<!--SETTINGS TAB-->
<div class="etc-back">
<div><a href="/messages">Message</a></div>
    <div class="spacing2"></div>    
<div><a href="/settings">Settings</a></div>
    <div class="spacing2"></div>    
<div><a href="/adminpanel">AdminPanel</a></div>
</div>
<br/>
<br/>

<div class="padding"></div>
<div class="email">
<div class="fl">E-mail:</div><div class="fr"><?php print htmlentities($_SESSION['user']['email'], ENT_QUOTES, 'UTF-8'); ?></div>
</div>



<div class="spacing"></div>
<div class="padding"></div>
<div class="email">
<div class="fl">Website:</div><div class="fr"><?php print "<a href='". htmlentities($_SESSION['user']['website'], ENT_QUOTES, 'UTF-8')."'>".htmlentities($_SESSION['user']['website'], ENT_QUOTES, 'UTF-8')."</a>"; ?></div>
</div>


<div class="spacing"></div>
<div class="padding"></div>
<div class="email">
<div class="fl">Clan Page:</div><div class="fr"><?php if(empty($_SESSION['user']['clanpage'])){
    print "No Clan Page Found!";
}else{
    print htmlentities($_SESSION['user']['clanpage'], ENT_QUOTES, 'UTF-8');} ?></div>
</div>


</div>
</body>
</html>

0 个答案:

没有答案