我正在尝试使用SQL和PHP创建登录系统。我有一个标准数据库,有三个字段:用户名,密码和授权级别。出于某种原因,当我测试代码时,即使我使用具有正确凭据的正确访问级别,登录也会失败。在我将访问级别检查程序添加到PHP之前,代码已正常运行但现在它返回登录失败错误。
//If there are input validations, redirect back to the login form
if($errflag) {
$_SESSION['ERRMSG_ARR'] = $errmsg_arr;
session_write_close();
header("location: login-test.php");
exit();
}
//Create query
$qry="SELECT * FROM members WHERE username='$username' AND password='$password'";
$result=mysql_query($qry);
$row = mysql_fetch_object($qry);
//Check whether the query was successful or not
if($result) {
if(mysql_num_rows($result) == 1 && $row->authlevel == "admin") {
//Login Successful
session_regenerate_id();
$member = mysql_fetch_assoc($result);
$_SESSION['SESS_MEMBER_ID'] = $member['username'];
$_SESSION['SESS_FIRST_NAME'] = $member['firstname'];
$_SESSION['SESS_LAST_NAME'] = $member['username'];
session_write_close();
header("location: admin_index.php");
exit();
} else {
//Login failed
header("location: login-failed.php");
}
}else {
die("Query failed");
}
?>
答案 0 :(得分:2)
正如我在评论中所说,使用PDO或mysqli和准备好的陈述。有人可以把它放在
中 '; Select * from members where authLevel = "admin" limit 1 --
对于$username并以管理员身份登录。这就是为什么
SELECT * FROM members WHERE username=''; Select * from members where authLevel = "admin" limit 1 -- AND password='ababsdf'
这是您查询的内容,而--是MySql的评论方式,因此忽略了之后的任何内容。基本上我只是告诉它选择一个具有admin的authLevel用户并将其限制为一个结果。
<强>更新 至于答案有2种可能性,
1个authLevel错误,
2更有可能是您有重复的用户记录。所以行数检查失败
此外,admin与Admin或ADMIN或[space]admin的空格不同。 php中的字符串比较区分大小写。
无论条件是否失败,因此其中一个或两个项目都不正确。你所要做的就是这个
echo 'NumRows: '.mysql_num_rows($result);
echo "<br>\n";
echo 'AuthLevel: '.$row->authlevel;
告诉我们,只输出它们就应该变得相当明显。还要注释掉标题重定向(这样你就不会被踢到其他页面)
//header("location: login-failed.php"); -- un-comment when fixed.
对于authlevel你可能想把它包装在像这样的括号中
echo 'AuthLevel: ['.$row->authlevel.']';
为什么呢?因为如果是这样的话
[ admin]
然后你可以看到那里有空间或东西。在你的条件下做这件事并不是一个坏主意
if( strtolower( trim( $row->authlevel ) ) == 'admin' ...
PDO或mysqli真的没有那么难,你想要添加至少sha256的盐添加加密(或使用password_hash())基本上你的代码看起来像这样
$dsn = 'mysql:host=127.0.0.1;dbname=members;';
$user = 'db_user';
$password = '*******';
try {
$DB = new PDO($dsn, $user, $password);
} catch (PDOException $e) {
die('Connection failed: ' . $e->getMessage());
}
$qry="SELECT * FROM members WHERE username=:username"; ///( add field named salt, this is a random string )
//search only for username
///$DB is pdo database object
//prepare the sql, this 2 step process prevent sql injection by using a placeholder :username instead of the variable directly
$stmt = $DB->prepare( $qry );
//execute the statement with variables
$stmt->execute( array(':username' => $username ) );
//retrieve the result row as an object.
$row = $stmt->fetch( PDO::FETCH_OBJ );
//Check whether the query was successful or not
if($stmt->rowCount() == 1 ) {
if($row->authlevel == "admin") { //if it's not an admin no need to check password
if( sha256( $row->salt() . $password ) == $row->password ){
//Check password in php, db is case insensitive unless its a binary field.
//Login Successful ( obviously youll want to update the member to account for a better password )
.....
}else{
header("location: login-failed.php"); //change for bad password etc.
}
} else {
//Login failed
header("location: login-failed.php"); //change for invalid user level ( you do not have authorization to view this page ... etc. )
}
}else {
die("Query failed"); //change for username not found, or unknown username
}
http://php.net/manual/en/pdo.construct.php
http://php.net/manual/en/function.password-hash.php
除了PHP7之外的安全原因,mysql_ *函数已经消失,所以最好不要习惯使用它们。