Question

我是PHP和StackOverflow的初学者！我试图为我的应用程序创建一个登录功能，但这似乎不起作用......

function login($user, $password)
{
    $db = new mysqli('127.0.0.1', 'root', 'raspberry', 'extranet');
    $db->set_charset('utf8');
    $token = '';
    if (isset($user) && isset($password) && !isset($_SESSION))
    {
        $query = $db->prepare('SELECT * FROM users WHERE USERNAME = ? AND PASSWORD = ?');
        $query->bind_param($user, $password);
        $res = $query->execute();
        if (mysqli_num_rows($res) != 0)
        {
            $_SESSION['user'] = $user;

            $token = rand(85765, 650000);
            $query = $db->prepare('INSERT INTO tokens VALUES(null, ?, ?);');
            $query->bind_param($user, $token);
            $query->execute();

            $_SESSION['token'] = $token;
        } else {
            $_SESSION['token'] = 0;
        }

        return $_SESSION['token'];
    } else if (isset($_SESSION['token']) && $_SESSION['token'] != 0 && isset($_SESSION['user']))
    {
        $query = $db->prepare('SELECT * FROM tokens WHERE USERNAME = ? AND TOKEN = ?');
        $query->bind_param($_SESSION['user'], $_SESSION['token']);
        $res = $query->execute();
        if (mysqli_num_rows != 0)
        {
            return true;
        } else
        {
            return false;
        }
    } else
    {
        return false;
    }
}

你能告诉我这是什么问题。？好！ P-S：请原谅我的英语水平，我只是一个法国人

Answer 1

$query = $db->prepare('SELECT * FROM users WHERE USERNAME = ? AND PASSWORD = ?');
$query->bind_param($user, $password);

您在这里存储明文密码。看看PHP的password hashing features。

$token = rand(85765, 650000);

我非常确定您的整个令牌系统是不必要的，但即使它不是don't use rand()。

登录功能PHP SHA1

1 个答案: