我正在尝试创建一个Web应用程序,在登录前随机化用户所需的密码类型。注册页面没有哈希密码,我真的不需要为这个演示哈希。当用户登录时,他们首先提供他们的电子邮件地址,该地址是从数据库中确认的。 页面代码如下(index.php):
<?php
require_once 'dbconnect.php';
/*
if ( isset($_SESSION['user'])!="" ) {
header("Location: home.php");
exit;
}
*/
$error = false;
if( isset($_POST['btn-login']) ) {
$email = sanitize($_POST['email']);
if(empty($email)){
$error = true;
$emailError = "Please enter your email address.";
} else if ( !filter_var($email,FILTER_VALIDATE_EMAIL) ) {
$error = true;
$emailError = "Please enter valid email address.";
}
if (!$error) {
$stmt = dbconnect()->prepare("SELECT * FROM users WHERE email=:email");
$stmt->execute(array(
":email" => $email,
));
$count = $stmt->rowCount();
if($count == 1) {
$_SESSION['email'] = $email;
redirect('creds.php');
} else {
$errMSG = "Incorrect Credentials, Try again...";
}
}
}
?>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Coding Cage - Login & Registration System</title>
<link rel="stylesheet" href="assets/css/bootstrap.min.css" type="text/css" />
<link rel="stylesheet" href="style.css" type="text/css" />
</head>
<body>
<div class="container">
<div id="login-form">
<form method="post" autocomplete="off">
<div class="col-md-12">
<div class="form-group">
<h2 class="">Sign In.</h2>
</div>
<div class="form-group">
<hr />
</div>
<?php
if ( isset($errMSG) ) {
?>
<div class="form-group">
<div class="alert alert-danger">
<span class="glyphicon glyphicon-info-sign"></span> <?php echo $errMSG; ?>
</div>
</div>
<?php
}
?>
<div class="form-group">
<div class="input-group">
<span class="input-group-addon"><span class="glyphicon glyphicon-envelope"></span></span>
<input type="email" name="email" class="form-control" placeholder="Your Email" value="<?php if (isset($email)) {echo $email;} ?>" maxlength="40" />
</div>
<span class="text-danger"><?php if (isset ($emailError)) {echo $emailError;} ?></span>
</div>
<div class="form-group">
<hr />
</div>
<div class="form-group">
<button type="submit" class="btn btn-block btn-primary" name="btn-login">Next..</button>
</div>
<div class="form-group">
<hr />
</div>
<div class="form-group">
<a href="register.php">Sign Up Here...</a>
</div>
</div>
</form>
</div>
</div>
</body>
</html
在填写该表单后,用户将被重定向到'creds.php',这应该从 functions.php 中选择一个随机密码函数。 creds.php 代码为:
<?php
require_once 'dbconnect.php';
/*
if ( isset($_SESSION['user'])!="" ) {
header("Location: home.php");
exit;
}
*/
$error = false;
if(isset($_POST['btn-login']) ) {
$pass = sanitize($_POST['pass']);
$passarray = getrandomfunction($pass);
echo $passarray;
if ($passarray == 0)
{
$passval = 'reversepass';
}
elseif ($passarray == 1)
{
$passval = 'passtoupper';
}
elseif ($passarray == 2)
{
$passval = 'passtolower';
}
elseif ($passarray == 3)
{
$passval = 'defaultpass';
}
elseif ($passarray == 4)
{
$passval = 'passfirst4letter';
}
$eg = $passval;
if(empty($pass)){
$error = true;
$passError = "Please enter your password.";
}
if (!$error) {
$stmt = dbconnect()->prepare("SELECT * FROM users WHERE email=:email");
$stmt->execute(array(
":email" => $_SESSION['email'],
));
$row = $stmt->fetchAll();
$count = $stmt->rowCount();
if( $count == 1 ) { /* && $passfrmdbffunc==$passfromfunc */
foreach ($row as $row)
{
//echo $eg;
$dbpassword = $row['password']; //from db
//$passfromfunc = $eg($pass);
$passfrmdbffunc = $eg($dbpassword); // fromdb processed
echo $pass . '<br/>';
//echo $passfrmdbffunc;
switch ($passarray)
{
case 0;
if ($pass != reversepass($dbpassword))
{
$errMSG = "Incorrect revese Credentials, Try again...";
}
else{
$_SESSION['logged'] = True;
redirect('home.php');
}
break;
case 1:
if ($pass != passtoupper($dbpassword))
{
$errMSG = "Incorrect upper Credentials, Try again...";
}
else{
$_SESSION['logged'] = True;
redirect('home.php');
}
break;
case 2;
if ($pass != passtolower($dbpassword))
{
$errMSG = "Incorrect lower Credentials, Try again...";
}
else{
$_SESSION['logged'] = True;
redirect('home.php');
}
break;
case 3;
if ($pass !== defaultpass($dbpassword))
{
$errMSG = "Incorrect default Credentials, Try again...";
}
else{
$_SESSION['logged'] = True;
redirect('home.php');
}
break;
case 4;
if ($pass != passfirst4letter($dbpassword))
{
$errMSG = "Incorrect 4letter Credentials, Try again...";
}
else{
$_SESSION['logged'] = True;
redirect('home.php');
}
break;
}
/*
if ($passfrmdbffunc == $pass)
{
$_SESSION['logged'] = True;
//redirect('home.php');
}
else
{
$errMSG = "Incorrect Credentials, Try again...";
}*/
}
} else {
$errMSG = "Incorrect Credentials, Try again...";
}
}
}
?>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Password <?php echo $_SESSION['email']; ?></title>
<link rel="stylesheet" href="assets/css/bootstrap.min.css" type="text/css" />
<link rel="stylesheet" href="style.css" type="text/css" />
</head>
<body>
<div class="container">
<div id="login-form">
<form method="post" autocomplete="off">
<div class="col-md-12">
<div class="form-group">
<h2 class="">Provide your password in <?php if (isset($passarray)){echo $passval;}?></h2>
</div>
<div class="form-group">
<hr />
</div>
<?php
if ( isset($errMSG) ) {
?>
<div class="form-group">
<div class="alert alert-danger">
<span class="glyphicon glyphicon-info-sign"></span> <?php echo $errMSG; ?>
</div>
</div>
<?php
}
?>
<div class="form-group">
<div class="input-group">
<span class="input-group-addon"><span class="glyphicon glyphicon-lock"></span></span>
<input type="password" name="pass" class="form-control" placeholder="Your Password" maxlength="15" />
</div>
<span class="text-danger"><?php if (isset($passError)) {echo $passError;} ?></span>
</div>
<div class="form-group">
<hr />
</div>
<div class="form-group">
<button type="submit" class="btn btn-block btn-primary" name="btn-login">Sign In</button>
</div>
<div class="form-group">
<hr />
</div>
<div class="form-group">
<a href="register.php">Sign Up Here...</a>
</div>
</div>
</form>
</div>
</div>
</body>
</html
我正在使用PDO-Mysql驱动程序与数据库进行交互。 哦,随机化密码的 functions.php 代码是:
<?php
function reversepass($password)
{
return strrev($password);
}
function passtoupper($password)
{
return strtoupper($password);
}
function passtolower($password)
{
return strtolower($password);
}
function defaultpass($password)
{
return $password;
}
function passfirst4letter($password)
{
return substr($password, 0, 4);
}
function getrandomfunction($password)
{
$functions = array(reversepass($password),passtoupper($password),passtolower($password),defaultpass($password),passfirst4letter($password));
return array_rand(array_keys($functions));
}
?>
我的问题是密码表单可能会请求“反向密码”,但是当您反向提供密码时,它会返回下一个随机函数的结果,而不是返回true。如果返回值为true,我需要它重定向并设置会话,否则显示错误消息。
修改 数据库文件具有清理功能:
<?php
session_start();
ob_start();
function dbconnect()
{
$db_host = '127.0.0.1';
$db_user = 'root';
$dbname = 'project';
$db_pass = '';
try{
$connection = new PDO("mysql:host=$db_host;dbname=$dbname",$db_user, $db_pass);
// set PDO error mode to exception
$connection->setAttribute(PDO::ATTR_ERRMODE,PDO::ERRMODE_EXCEPTION);
}
catch (PDOException $e){
echo 'Connection to the database failed ' . $e->getMessage();
}
return $connection;
}
function sanitize($data)
{
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
function redirect($url)
{
header("Location: $url");
}
include_once 'functions.php';
?>
答案 0 :(得分:0)
您在functions.php中使用的逻辑不正确。
这就是你现在所做的:
问题是3和6 ...... 因此,解决方案是在显示表单之前创建密码验证的标准,并在SESSION中保存它以供以后访问。
我会将您的<?php
$PASSWORD_MODES = array(
"reversepass", "passtoupper", "passtolower", "defaultpass", "passfirst4letter"
);
$RANDOM_MODE = $PASSWORD_MODES[rand(0, count($PASSWORD_MODES)-1)];
function changePasswordByMode($mode, $password) {
switch ($mode) {
case "reversepass":
return strrev($password);
break;
case "passtoupper":
return strtoupper($password);
break;
case "passtolower":
return strtolower($password);
break;
case "passfirst4letter":
return substr($password, 0, 4);
break;
case "defaultpass":
return $password;
break;
default:
return $password;
break;
}
}
function validatePasswordMode($original_password, $mode, $test_password) {
return $test_password === changePasswordByMode($mode, $original_password);
}
?>
更改为此(简化)
creds.php这是<?php
require_once 'dbconnect.php';
/*
SET VARS
*/
$error = $pass = $errMSG = $passError = false;
global $RANDOM_MODE;
/*
CHECK POST FOR $pass
*/
if (isset($_POST['pass'])) {
$pass = sanitize($_POST['pass']);
if(empty($pass)){
$error = true;
$passError = "Please enter your password.";
}
}
/*
IF $pass IS PROVIDED & $_SESSION["passmode"] IS SET -> VALIDATE
*/
if ($pass && isset($_SESSION["passmode"])) {
$stmt = dbconnect()->prepare("SELECT * FROM users WHERE email=:email");
$stmt->execute(array(
":email" => $_SESSION['email'],
));
$row = $stmt->fetchAll();
$count = $stmt->rowCount();
if ($count == 1 ) {
$dbpassword = $row[0]['password'];
$VALID_PASS = validatePasswordMode(
$row[0]['password'],
$_SESSION["passmode"],
$test_password);
if ($VALID_PASS) {
$_SESSION['logged'] = TRUE;
redirect('home.php');
} else {
$error = true;
$errMSG = "Incorrect credentials. Try again...";
}
} // endif $count
} // endif $pass && isset($_SESSION["passmode"]))
/*
SET PASSMODE
*/
$_SESSION["passmode"] = $RANDOM_MODE;
//
?>
<!-- in your HTML change this part: -->
<div class="form-group">
<h2 class="">
Provide your password in <?php echo $_SESSION["passmode"]; ?>
</h2>
</div>
<!-- keep the rest -->
(简化):
{{1}}