如何从数据库中获取特定值并根据该值与PHP进行比较?

时间:2016-05-30 18:14:57

标签: php

我的登录页面有问题。在我的注册页面中,我询问用户他/她是学生还是教师。这被放入数据库'dbuploaden'。当用户想要登录时,我需要从数据库中获取该信息,因为学生可以看到与教师不同的主页。

这里的问题是,当我按下“登录”按钮时,我的页面似乎刷新了,并没有给我一个错误或任何东西。这是我使用的PHP代码:

<?php
session_start();
include_once 'connection.php';

if(isset($_SESSION['user'])!="")
{
//header("Location: home.php");
}
if(isset($_POST['btn-login']))
{
$email = mysql_real_escape_string($_POST['email']);
$upass = mysql_real_escape_string($_POST['pass']);
$res=mysql_query("SELECT * FROM tblgebruikers WHERE email='$email'");
$row=mysql_fetch_array($res);

if($row['password']==md5($upass))
{
if(mysql_query("SELECT * FROM tblgebruikers WHERE soortgebruiker =       student")=="student")
 {  
 die('Following connection error has occured: '.mysql_error());
 $_SESSION['user'] = $row['gebruiker_id'];
 header("Location: index.php");
 }
if(mysql_query("SELECT * FROM tblgebruikers WHERE soortgebruiker =   docent")=="docent")
 {  
 die('Following connection error has occured: '.mysql_error());   
 $_SESSION['user'] = $row['gebruiker_id'];
 header("Location: index2.php");
 }
 }
 if($row['password']!=md5($upass))
 {
 echo "Foute gegevens. Probeer opnieuw.";
 }
 }

?>

由于

1 个答案:

答案 0 :(得分:0)

我开始从事网络编程,很少甚至没有培训,当然也没有教师可以指导我。一旦他们已经掌握了寻找答案的地方以及如何阅读文档,很多人会比较容易学习。

首先,请,请使用mysqli函数而不是mysql函数。此扩展程序已更新,原因很简单。或者,更好的是,使用PDO或其他此类适配器,以便您的代码更安全,更容易编写和维护,如果您决定超越这一项任务。

另外,参数化查询!现在就开始使用它们,忘记mysql_real_escape_string

,这将是一个美好的世界

其次,请查看为什么使用md5哈希进行密码存储是一个坏主意。即使是这样的作业,你也应该采用安全和标准的编码方法,以便在你前进的过程中养成良好的习惯。

我已删除了'connection.php'文件的用法,并对数据库的结构做了一些假设,以便为您提供可用的代码片段。您可以使用下面的代码优化和改进许多方面,但它确实可以达到预期的效果。

<?php
session_start();
//make sure you never do this in production
//you should store your connection usernames and passwords outside the web root
//to make unintentional disclosure of them harder
$mysqli = new mysqli( 'localhost', 'username', 'password', 'dpuploaden' );

if( mysqli_connect_errno() ){
    //in real production code, this would be insecure as you shouldn't give away error information
    //that could allow an attacker to gain more knowledge about your systems if at all possible
    exit( printf( "Kan geen verbinding met de database: %s\n", mysqli_connect_error() ) );
}

if( isset( $_POST[ 'btn-login' ] ) ){
    $email = $_POST[ 'email' ];
    $upass = $_POST[ 'pass' ];
    $id = NULL;
    $password = NULL;
    $soortgebruiker = NULL;

    if( $stmt = $mysqli->prepare( 'SELECT `gebruiker_id`, `password`, `soortgebruiker` FROM `tblgebruikers` WHERE `email` = ?' ) ){
        $stmt->bind_param( 's', $email );
        $stmt->execute();
        $stmt->bind_result( $id, $password, $soortgebruiker );
        $stmt->fetch();
        $stmt->close();

        //please do not ever use md5 has a password hashing solution in real code
        //look up the php function password_hash, or if you have PHP < 5.5.0 bcrypt
        //for their proper usage, or better yet, seek out a library that implements
        //this kind of login code and just use it
        //roll your own is always a bad idea when it comes to security and, even with
        //a lot of experience and information under your belt, it is all too easy to make mistakes
        if( $row[ 'password' ] === md5( $upass ) ){
            $_SESSION[ 'user' ] = $id;
            $_SESSION[ 'soortgebruiker' ] = $soortgebruiker;
        }
        else
            exit( "Foute gegevens. Probeer opnieuw." );
    }
    else{
        exit( 'Fout retrieveing ​​informatie.' );
    }
}

if( isset( $_SESSION[ 'user' ] ) && $_SESSION[ 'user' ] != '' ){
    if( $_SESSION[ 'soortgebruiker' ] === 'student' ){
        header( "Location: index.php" );
        exit;
    }
    else if( $_SESSION[ 'soortgebruiker' ] === 'docent' ){
        header( "Location: index2.php" );
        exit;
    }
}

//output login page here
?>