<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en" >
<head>
<title>Login | JM Today </title>
<link href="Mainstyles.css" type="text/css" rel="stylesheet" />
</head>
<body>
<div class="container">
<?php include("header.php"); ?>
<?php include("navbar.php"); ?>
<?php include("cleanquery.php") ?>
<div id="wrap">
<?php
$check=checklogin();
if($check == true){
confirmcookie($_SESSION['username'], $_SESSION['password']);
}
?>
<?php
$conn=mysql_connect("localhost", "***", "***") or die(mysql_error());
mysql_select_db('jmtdy', $conn) or die(mysql_error());
function checklogin() {
if(isset($_COOKIE['cookname']) && isset($_COOKIE['cookpass'])){
$_SESSION['username'] = $_COOKIE['cookname'];
$_SESSION['password'] = $_COOKIE['cookpass'];
return true;
}
elseif(isset($_POST['sublogin'])){
if((strlen($_POST['user']) > 3) && (strlen($_POST['pass']) > 3)){
$user=cleanQuery($_POST['user']);
$pass=cleanQuery($_POST['pass']);
$result=mysql_query("select password from users where username='$user' and active='1'");
if(mysql_num_rows(mysql_query("select username from users where username='$user' and active = '1'" ) < 1)){
$msg='<p class="statusmsg">The username you entered is incorrect, or you haven\'t yet activated your account. Please try again.</p><br/>';
$status="NOTOK";
}
}
else{
$msg=$msg.'<p class="statusmsg">You didn\'t fill in the required fields.</p><br/>';
$status="NOTOK";
}
if($status != "NOTOK"){
if(mysql_num_rows(mysql_query("select password from users where password='$pass'" ))){
$_SESSION['username']=$user;
$_SESSION['password']=$password;
}
else{
$msg=$msg.'<p class="statusmsg">The password you entered is incorrect.</p>';
$status="NOTOK";
}
if(isset($_POST['remember'])){
setcookie("cookname", $_SESSION['username'], time()+60*60*24*100, "/");
setcookie("cookpass", $_SESSION['password'], time()+60*60*24*100, "/");
}
}
if($status=="NOTOK"){
echo $msg . '<input type="button" value="Retry" onClick="location.href='."'login.php'\">";
}
else{
echo '<p class="statusmsg"> You have succesfully logged in! </p>';
}
}
else{
echo '<p class="statusmsg"> You came here by mistake, didn\'t you? </p>';
}
}
function confirmcookie($username, $password){
$result = mysql_query("select password from users where username = '$username'");
if(!$result || (mysql_num_rows($result) < 1)){
unset($_SESSION['username']);
unset($_SESSION['password']);
$msg='<p class="statusmsg">The username you entered is incorrect or you have set an incorrect cookie</p>';
$status=="NOTOK";
}
$dbarray = mysql_fetch_array($result);
$dbarray['password'] = cleanQuery($dbarray['password']);
$password = cleanQuery($password);
if($password!=$dbarray['password']){
unset($_SESSION['username']);
unset($_SESSION['password']);
$msg='<p class="statusmsg">The password you entered is incorrect or you have set an incorrect cookie.</p>';
}
if(count_chars($msg) >0){
echo $msg;
}
}
?>
</div>
<br/>
<br/>
<?php include("footer.php") ?>
</div>
</body>
</html>
这是cleanQuery函数:
<?php
function cleanQuery($string)
{
if(get_magic_quotes_gpc()) // prevents duplicate backslashes
{
$string = stripslashes($string);
}
if (phpversion() >= '4.3.0')
{
$string = mysql_real_escape_string($string);
}
else
{
$string = mysql_escape_string($string);
}
return $string;
}
?>
答案 0 :(得分:1)
在您有机会实际连接到数据库之前调用checklogin()!
答案 1 :(得分:0)
当您使用数据库密码检查输入密码时,您正在使用CleanQuery函数。但我不认为你应该使用此功能密码。因为密码可以有任何特殊的字符。
$dbarray['password'] = cleanQuery($dbarray['password']);
这行代码可能未使用。如果有用,请使用此功能。
感谢。