php密码验证覆盖功能返回false

时间:2017-01-12 20:31:09

标签: php mysql authentication passwords

我正在尝试创建覆盖功能,其中用户键入现有登录凭据,验证是否返回与这些凭据匹配的结果行​​,然后验证用户是否已为其分配覆盖角色。如果两个MySQL语句都返回true,我想运行最终查询以从编码表中删除一行。

使用我当前的代码,程序传递第一个if语句并运行第二个SELECT语句。然后,它似乎运行第二个if移动到第三个SELECT语句。但是,在第三个if语句中,DELETE语句不成功。

我想我有几个问题:

  • 我不知道我是否正确比较了密码。

  • 问题可能是由嵌套的if语句引起的吗?

  • 我的问题是'if($ result1){...}'(假设只要SELECT语句成功运行并返回0结果,result1将返回true)?

无论哪种方式,我都不完全确定解决(se)问题的最佳方法。

注意::通过测试,我已确认:

  • 我的变量成功$ _POSTing和正确的数据类型。

  • 仅使用第一个if / else语句,即使输入的凭据不正确,警报响应也始终是“成功”结果。

所有帮助表示赞赏!!

我的代码:

PHP:

<?php

include('[db connection page]');

if ((isset($_POST['overrideUsername'])) and (isset($_POST['overridePassword'])) and (isset($_POST['overrideUniqueID']))) {

    $overrideUsername = $_POST['overrideUsername'];
    $overridePassword = $_POST['overridePassword'];
    $overrideUniqueID = $_POST['overrideUniqueID'];




    //connect  to the database 
    $conn = new mysqli($servername, $username, $password, $dbname);

    // Check connection
    if(mysqli_connect_errno() ) {
        printf('Could not connect: ' . mysqli_connect_error());
        exit();
    }

    $conn->select_db($dbname);

    if(! $conn->select_db($dbname) ) {
        echo 'Could not select database. '.'<BR>';
    }

    $sql1 = "SELECT * FROM users WHERE (users.login = \"".mysqli_real_escape_string($overrideUsername)."\") AND (users.password = ENCODE(\"".mysqli_real_escape_string(overridePassword)."\",\"".mysqli_real_escape_string(ENCRYPTION_SEED)."\"))";

    $result1 = $conn->query($sql1); 

    if ($result1) {

        $sql2 = "SELECT * FROM users INNER JOIN rolestousers ON (users.id=rolestousers.userid) WHERE (users.login = \"".mysqli_real_escape_string($overrideUsername)."\") AND (users.password =ENCODE(\"".mysqli_real_escape_string(overridePassword)."\",\"".mysqli_real_escape_string(ENCRYPTION_SEED)."\")) AND (rolestousers.roleid = '154')";

        $result2 = $conn->query($sql2);      

        if ($result2) {

            $sql3 = "DELETE * FROM locator_time_track_out WHERE locator_time_track_out.uniqueid = '.$overrideUniqueID'";

            $result3 = $conn->query($sql3); 


            if ($result3) {

                echo 'Override Successful! Please scan the unit again to close it out.';

            } else {

                echo 'Could Not Delete Record from the Table.';

            }//End $sql3 num_rows if.

        } else {

            echo 'User does not have override permission. Please contact the IT Department.';

        }//End $sql2 num_rows if.

    } else {

        echo 'Your login information is incorrect. Please try again. If the issue persists, contact the IT Department.';

    }//End $sql1 num_romws if.

 //Free the result variable. 
   $result1->free();
   $result2->free();
   $result3->free();


 //Close the Database connection.
   $conn->close();


}//End If statement

更新:

这是我最初用于覆盖功能的代码文件。但是,它当然无法输入错误的密码...... 

 include('[db connection file name');

 if ((isset($_POST['overrideUsername'])) and (isset($_POST['overridePassword'])) and (isset($_POST['overrideUniqueID']))) {

    $overrideUsername = $_POST['overrideUsername'];
    $overridePassword = $_POST['overridePassword'];
    $overrideUniqueID = $_POST['overrideUniqueID'];

    //connect  to the database 
    $conn = new mysqli($servername, $username, $password, $dbname);

    // Check connection
    if(mysqli_connect_errno() ) {
        printf('Could not connect: ' . mysqli_connect_error());
        exit();
    }

    $conn->select_db($dbname);

    if(! $conn->select_db($dbname) ) {
        echo 'Could not select database. '.'<BR>';
    }

    $sql1 = "SELECT * FROM users WHERE (users.login = ?) AND (users.password = ?)";

    $stmt1 = $conn->prepare($sql1);
    $stmt1->bind_param('ss', $overrideUsername, $overridePassword);
    $stmt1->execute();
    $stmt1->store_result();     

    if ($stmt1->num_rows == 1) {

        $sql2 = "SELECT * FROM users INNER JOIN rolestousers ON (users.id=rolestousers.userid) WHERE (users.login = ?) AND (users.password = ?) AND (rolestousers.roleid = '154')";

        $stmt2 = $conn->prepare($sql2);
        $stmt2->bind_param('ss', $overrideUsername, $overridePassword);
        $stmt2->execute();
        $stmt2->store_result();     

        if ($stmt2->num_rows == 1) {

            $sql3 = "DELETE * FROM locator_time_track_out WHERE locator_time_track_out.uniqueid = ?";

            $stmt3 = $conn->prepare($sql2);
            $stmt3->bind_param('s', $overrideUniqueID);
            $stmt3->execute();
            $stmt3->store_result();     

            if ($stmt3->num_rows == 1) {

                echo 'Override Successful! Please scan the unit again to close it out.';

            } else {

                echo 'Could Not Delete Record from the Table.';

            }//End $sql3 num_rows if.

        } else {

            echo 'User does not have override permission. Please contact the IT Department at ext. 0102.';

        }//End $sql2 num_rows if.

    } else {

        echo 'Your login information is incorrect. Please try again. If the issue persists, contact the IT Department at ext. 0102.';

    }//End $sql1 num_romws if.


//Free the result variable. 
  $stmt1->free();
  $stmt2->free();
  $stmt3->free();



//Close the Database connection.
 $conn->close();


}//End If statement

0 个答案:

没有答案
相关问题
最新问题