我的登录页面有问题。在我的注册页面中,我询问用户他/她是学生还是教师。这被放入数据库'dbuploaden'。当用户想要登录时,我需要从数据库中获取该信息,因为学生可以看到与教师不同的主页。
这里的问题是,当我按下“登录”按钮时,我的页面似乎刷新了,并没有给我一个错误或任何东西。这是我使用的PHP代码:
<?php
session_start();
include_once 'connection.php';
if(isset($_SESSION['user'])!="")
{
//header("Location: home.php");
}
if(isset($_POST['btn-login']))
{
$email = mysql_real_escape_string($_POST['email']);
$upass = mysql_real_escape_string($_POST['pass']);
$res=mysql_query("SELECT * FROM tblgebruikers WHERE email='$email'");
$row=mysql_fetch_array($res);
if($row['password']==md5($upass))
{
if(mysql_query("SELECT * FROM tblgebruikers WHERE soortgebruiker = student")=="student")
{
die('Following connection error has occured: '.mysql_error());
$_SESSION['user'] = $row['gebruiker_id'];
header("Location: index.php");
}
if(mysql_query("SELECT * FROM tblgebruikers WHERE soortgebruiker = docent")=="docent")
{
die('Following connection error has occured: '.mysql_error());
$_SESSION['user'] = $row['gebruiker_id'];
header("Location: index2.php");
}
}
if($row['password']!=md5($upass))
{
echo "Foute gegevens. Probeer opnieuw.";
}
}
?>
由于
答案 0 :(得分:0)
我开始从事网络编程,很少甚至没有培训,当然也没有教师可以指导我。一旦他们已经掌握了寻找答案的地方以及如何阅读文档,很多人会比较容易学习。
首先,请,请使用mysqli函数而不是mysql函数。此扩展程序已更新,原因很简单。或者,更好的是,使用PDO或其他此类适配器,以便您的代码更安全,更容易编写和维护,如果您决定超越这一项任务。
另外,参数化查询!现在就开始使用它们,忘记mysql_real_escape_string。
其次,请查看为什么使用md5哈希进行密码存储是一个坏主意。即使是这样的作业,你也应该采用安全和标准的编码方法,以便在你前进的过程中养成良好的习惯。
我已删除了'connection.php'文件的用法,并对数据库的结构做了一些假设,以便为您提供可用的代码片段。您可以使用下面的代码优化和改进许多方面,但它确实可以达到预期的效果。
<?php
session_start();
//make sure you never do this in production
//you should store your connection usernames and passwords outside the web root
//to make unintentional disclosure of them harder
$mysqli = new mysqli( 'localhost', 'username', 'password', 'dpuploaden' );
if( mysqli_connect_errno() ){
//in real production code, this would be insecure as you shouldn't give away error information
//that could allow an attacker to gain more knowledge about your systems if at all possible
exit( printf( "Kan geen verbinding met de database: %s\n", mysqli_connect_error() ) );
}
if( isset( $_POST[ 'btn-login' ] ) ){
$email = $_POST[ 'email' ];
$upass = $_POST[ 'pass' ];
$id = NULL;
$password = NULL;
$soortgebruiker = NULL;
if( $stmt = $mysqli->prepare( 'SELECT `gebruiker_id`, `password`, `soortgebruiker` FROM `tblgebruikers` WHERE `email` = ?' ) ){
$stmt->bind_param( 's', $email );
$stmt->execute();
$stmt->bind_result( $id, $password, $soortgebruiker );
$stmt->fetch();
$stmt->close();
//please do not ever use md5 has a password hashing solution in real code
//look up the php function password_hash, or if you have PHP < 5.5.0 bcrypt
//for their proper usage, or better yet, seek out a library that implements
//this kind of login code and just use it
//roll your own is always a bad idea when it comes to security and, even with
//a lot of experience and information under your belt, it is all too easy to make mistakes
if( $row[ 'password' ] === md5( $upass ) ){
$_SESSION[ 'user' ] = $id;
$_SESSION[ 'soortgebruiker' ] = $soortgebruiker;
}
else
exit( "Foute gegevens. Probeer opnieuw." );
}
else{
exit( 'Fout retrieveing informatie.' );
}
}
if( isset( $_SESSION[ 'user' ] ) && $_SESSION[ 'user' ] != '' ){
if( $_SESSION[ 'soortgebruiker' ] === 'student' ){
header( "Location: index.php" );
exit;
}
else if( $_SESSION[ 'soortgebruiker' ] === 'docent' ){
header( "Location: index2.php" );
exit;
}
}
//output login page here
?>