我有一个基于xamp的网络服务器,我安装了考勤系统,我有10个用户注册,通过单独登录进入他们的出勤...问题是在登录页面接受任何密码,并没有给出密码错误的错误。就像你输入用户名john@abcd.com&密码gfjhgh接受并输入到索引页面,原始密码是123456但是它接受你键入的每一个东西。请告诉我如何解决。它应该说您输入了错误的密码而无法登录。
代码如下:
// Account Log In
if (isset($_POST['submit']) && $_POST['submit'] == 'signIn') {
if($_POST['emailAddy'] == '') {
$msgBox = alertBox($accEmailReq, "<i class='fa fa-times-circle'></i>", "danger");
} else if($_POST['password'] == '') {
$msgBox = alertBox($accPassReq, "<i class='fa fa-times-circle'></i>", "danger");
} else {
$usrEmail = htmlspecialchars($_POST['emailAddy']);
$check = "SELECT userId, userFirst, userLast, isActive FROM users WHERE userEmail = '".$usrEmail."'";
$res = mysqli_query($mysqli, $check) or die('-1' . mysqli_error());
$row = mysqli_fetch_assoc($res);
$count = mysqli_num_rows($res);
if ($count > 0) {
// If the account is Active - Allow the login
if ($row['isActive'] == '1') {
$userEmail = htmlspecialchars($_POST['emailAddy']);
$password = encodeIt($_POST['password']);
if($stmt = $mysqli -> prepare("
SELECT
userId,
userEmail,
userFirst,
userLast,
location,
superUser,
isAdmin
FROM
users
WHERE
userEmail = ?
AND password = ?
")) {
$stmt -> bind_param("ss",
$userEmail,
$password
);
$stmt -> execute();
$stmt -> bind_result(
$userId,
$userEmail,
$userFirst,
$userLast,
$location,
$superUser,
$isAdmin
);
$stmt -> fetch();
$stmt -> close();
if (!empty($userId)) {
if(!isset($_SESSION))session_start();
$_SESSION['tz']['userId'] = $userId;
$_SESSION['tz']['userEmail'] = $userEmail;
$_SESSION['tz']['userFirst'] = $userFirst;
$_SESSION['tz']['userLast'] = $userLast;
$_SESSION['tz']['location'] = $location;
$_SESSION['tz']['superUser'] = $superUser;
$_SESSION['tz']['isAdmin'] = $isAdmin;
// Add Recent Activity
$activityType = '1';
$tz_uid = $userId;
$activityTitle = $userFirst.' '.$userLast.' '.$accSignInAct;
updateActivity($tz_uid,$activityType,$activityTitle);
// Update the Last Login Date for User
$sqlStmt = $mysqli->prepare("UPDATE users SET lastVisited = NOW() WHERE userId = ?");
$sqlStmt->bind_param('s', $userId);
$sqlStmt->execute();
$sqlStmt->close();
header('Location: index.php');
} else {
// Add Recent Activity
$activityType = '0';
$tz_uid = '0';
$activityTitle = $accSignInErrAct;
updateActivity($tz_uid,$activityType,$activityTitle);
$msgBox = alertBox($accSignInErrMsg, "<i class='fa fa-warning'></i>", "warning");
}
}
} else {
// Add Recent Activity
$activityType = '0';
$tz_uid = $row['userId'];
$activityTitle = $row['userFirst'].' '.$row['userLast'].' '.$signInUsrErrAct;
updateActivity($tz_uid,$activityType,$activityTitle);
// If the account is not active, show a message
$msgBox = alertBox($inactAccMsg, "<i class='fa fa-warning'></i>", "warning");
}
} else {
// Add Recent Activity
$activityType = '0';
$tz_uid = '0';
$activityTitle = $noAccSignInErrAct;
updateActivity($tz_uid,$activityType,$activityTitle);
// No account found
$msgBox = alertBox($noAccSignInErrMsg, "<i class='fa fa-times-circle'></i>", "danger");
}
}
}
// Reset Account Password
if (isset($_POST['submit']) && $_POST['submit'] == 'resetPass') {
// Validation
if ($_POST['accountEmail'] == "") {
$msgBox = alertBox($accEmailReq, "<i class='fa fa-times-circle'></i>", "danger");
} else {
$usrEmail = htmlspecialchars($_POST['accountEmail']);
$query = "SELECT userEmail FROM users WHERE userEmail = ?";
$stmt = $mysqli->prepare($query);
$stmt->bind_param("s",$usrEmail);
$stmt->execute();
$stmt->bind_result($emailUser);
$stmt->store_result();
$numrows = $stmt->num_rows();
if ($numrows == 1) {
// Generate a RANDOM Hash for a password
$randomPassword = uniqid(rand());
// Take the first 8 digits and use them as the password we intend to email the Employee
$emailPassword = substr($randomPassword, 0, 8);
// Encrypt $emailPassword for the database
$newpassword = encodeIt($emailPassword);
//update password in db
$updatesql = "UPDATE users SET password = ? WHERE userEmail = ?";
$update = $mysqli->prepare($updatesql);
$update->bind_param("ss",
$newpassword,
$usrEmail
);
$update->execute();
$qry = "SELECT userId, userFirst, userLast, isAdmin FROM users WHERE userEmail = '".$usrEmail."'";
$results = mysqli_query($mysqli, $qry) or die('-2' . mysqli_error());
$row = mysqli_fetch_assoc($results);
$theUser = $row['userId'];
$isAdmin = $row['isAdmin'];
$userName = $row['userFirst'].' '.$row['userLast'];
if ($isAdmin == '1') {
// Add Recent Activity
$activityType = '3';
$activityTitle = $userName.' '.$admPassResetAct;
updateActivity($theUser,$activityType,$activityTitle);
} else {
// Add Recent Activity
$activityType = '3';
$activityTitle = $userName.' '.$usrPassResetAct;
updateActivity($theUser,$activityType,$activityTitle);
}
$subject = $siteName.' '.$resetPassEmailSub;
$message = '<html><body>';
$message .= '<h3>'.$subject.'</h3>';
$message .= '<p>'.$resetPassEmail1.'</p>';
$message .= '<hr>';
$message .= '<p>'.$emailPassword.'</p>';
$message .= '<hr>';
$message .= '<p>'.$resetPassEmail2.'</p>';
$message .= '<p>'.$resetPassEmail3.' '.$installUrl.'sign-in.php</p>';
$message .= '<p>'.$emailTankYouTxt.'<br>'.$siteName.'</p>';
$message .= '</body></html>';
$headers = "From: ".$siteName." <".$siteEmail.">\r\n";
$headers .= "Reply-To: ".$siteEmail."\r\n";
$headers .= "MIME-Version: 1.0\r\n";
$headers .= "Content-Type: text/html; charset=UTF-8\r\n";
mail($usrEmail, $subject, $message, $headers);
$msgBox = alertBox($resetPassMsg1, "<i class='fa fa-check-square'></i>", "success");
$stmt->close();
} else {
// Add Recent Activity
$activityType = '1';
$tz_uid = '0';
$activityTitle = $resetPassMsgAct;
updateActivity($tz_uid,$activityType,$activityTitle);
// No account found
$msgBox = alertBox($resetPassMsg2, "<i class='fa fa-times-circle'></i>", "danger");
}
}
}
答案 0 :(得分:0)
我只假设您第一次尝试登录时会话是保存而您没有销毁会话。
if ((isset($_SESSION['tz']['userId'])) && ($_SESSION['tz']['userId'] != '')) {
header('Location: index.php');
}
因此,这个条件总是如此。
如果您想在没有有效凭据的情况下阻止/避免用户登录。
匹配数据库中的记录
$check = "SELECT userEmail, password FROM users WHERE userEmail = '".$usrEmail."' AND password = '".$password."'";
$res = mysqli_query($mysqli, $check) or die('-1' . mysqli_error());
$row = mysqli_fetch_assoc($res);
$count = mysqli_num_rows($res);
if ($count > 0) {
//match found
}
else {
//no match found or username/password doesn't match
}
答案 1 :(得分:0)
if (isset($_POST['submit']) && $_POST['submit'] == 'signIn') {
if($_POST['emailAddy'] == '') {
$msgBox = alertBox($accEmailReq, "<i class='fa fa-times-circle'></i>", "danger");
} else if($_POST['password'] == '') {
$msgBox = alertBox($accPassReq, "<i class='fa fa-times-circle'></i>", "danger");
} else {
$usrEmail = htmlspecialchars($_POST['emailAddy']);
$password = encodeIt($_POST['password']);
$check = "SELECT userId, userFirst, userLast, isActive FROM users WHERE userEmail = '".$usrEmail."'";
$res = mysqli_query($mysqli, $check) or die('-1' . mysqli_error());
$row = mysqli_fetch_assoc($res);
$count = mysqli_num_rows($res);
if ($count > 0) {