如何禁用用户帐户php / mysql

时间:2017-08-08 00:09:34

标签: php mysql

我正在尝试启用或禁用用户帐户。

我的表中有一个活动字段,设置为yes或no。

这是我登录页面的代码。

<?php
/* User login process, checks if user exists and password is correct */

require_once 'includes/db.php';

// Escape email to protect against SQL injections
$email = $mysqli->escape_string($_POST['email']);
$result = $mysqli->query("SELECT * FROM dxd_membership WHERE email='$email'");
if ( $result->num_rows == 0 ){ // User doesn't exist
$_SESSION['message'] = "User with that email doesn't exist!";
header("location: error.php");
}
else { // User exists
    $user = $result->fetch_assoc();
$active = $mysqli->query("SELECT * FROM dxd_membership WHERE email = '$email' AND active = 'YES'");

if ($active == '1')
{
    if ( password_verify($_POST['password'], $user['password']) ) {
        $userid = $_SESSION['userid'];
        $_SESSION['email'] = $user['email'];
        $_SESSION['firstname'] = $user['firstname'];
        $_SESSION['lastname'] = $user['lastname'];
        $_SESSION['username'] = $user['username'];
        $_SESSION['paynum'] = $user['paynum'];
        $_SESSION['empnum'] = $user['empnum'];
        $_SESSION['phone'] = $user['phone'];
        $_SESSION['active'] = $user['active'];
        $_SESSION['lastlogin'] = $user['lastlogin'];
        $_SESSION['signup'] = $user['signup'];
        $_SESSION['lastupdate'] = $user['lastupdate'];

        // This is how we'll know the user is logged in
        $_SESSION['logged_in'] = true;

        $update = $mysqli->query("UPDATE dxd_membership SET lastlogin=NOW() WHERE email = '$email'");

        header("location: welcome.php");
    }

    else {
        $_SESSION['message'] = "You have entered wrong password please try again!";
        header("location: error.php");
    }
}

else {
    header("location: disabled.php");
}
}
?>

我确定这是一个愚蠢的错误,但它不会检查活动字段,然后让用户登录welcome.php页面,如果active是yes或者将它们发送到disabled.php页面,如果他们的帐户有效设置为否(已禁用)。

任何人都可以帮我修改代码,以便它可以正常工作。

由于

2 个答案:

答案 0 :(得分:1)

非常明显

$active = $mysqli->query("SELECT * FROM dxd_membership WHERE email = '$email' AND    active = 'YES'");

if ($active == '1') //<-- see it
{
   if ( password_verify($_POST['password'], $user['password']) )

试试这个

if ($active->num_rows == 1 ) //or != 0 This is false or a result set.

即使您确实拥有其活动字段的值(您已选择*),您仍然会检查字符串'1'对字符串'YES'

注意我在大约4年内没有使用过mysqli,因为我使用的是PDO。所以这可能不是整个问题,但似乎错了..

事实上,由于您已经拥有所搜索的数据,因此不需要第二个查询,因此您可以更改它。

现在,如果您确定活动状态始终为YES,则$user已包含此数据,那么为什么不这样使用它,并保存查询。

$email = $mysqli->escape_string($_POST['email']);
$result = $mysqli->query("SELECT * FROM dxd_membership WHERE email='$email'");
if ( $result->num_rows == 0 ){ // User doesn't exist
    $_SESSION['message'] = "User with that email doesn't exist!";
    header("location: error.php");
}else { // User exists
    $user = $result->fetch_assoc();
    /*  comment these next 2 lines out when not debugging */
    echo "<pre>"; //whitespace formating
    var_export( $user );

    if ($user['active'] == 'YES'){
    // .....



    }
}

我不得不提到的一件事是你应该研究准备好的陈述。你可以在这里找到相关的信息

http://php.net/manual/en/mysqli.quickstart.prepared-statements.php

每当你在SQL查询中连接时,你应该使用预准备语句,因为它会打开应用程序进行SQL注入攻击。现在我仔细观察你正在使用escape_string虽然这很好,但首选方法是预备语句。这是因为使用预准备语句,变量完全独立于查询命令,因此DB知道不执行任何内容。即使逃避也可能存在边缘情况,我不知道任何说法,但是使用十六进制版本的引用是我在示例中看到的东西,或奇怪的字符串数据库会看到一个引用。

答案 1 :(得分:1)

看,我在你的代码中看到了几个问题。第一个是对同一数据的双重查询。您可以将整个内容简化为一个查询。

另一个(也是更重要的)事实是你只是将数据附加到SQL查询,其中MySQLi的整个目标是避免通过绑定params进行注入。所以更正确的方法就是这样:

编辑: .name避免这种情况。我完全无视它。

escape_string

当然,最好的选择是使用MySQLi语句并使用<?php /* User login process, checks if user exists and password is correct */ require_once 'includes/db.php'; // Escape email to protect against SQL injections $email = $mysqli->escape_string($_POST['email']); $result = $mysqli->query("SELECT * FROM dxd_membership WHERE email = '{$email}'"); if ( $result->num_rows == 0 ){ // User doesn't exist $_SESSION['message'] = "User with that email doesn't exist!"; header("Location: error.php"); exit; // Add an "exit" here, because if you add something else, it will run too (even if you asked to redirect... basically is the browser the one that chooses if it follows the redirect or not, but your script still goes on). } else { // User exists $user = $result->fetch_assoc(); // There's no point in filtering using another MySQL query, since YOU ALREADY HAVE THIS DATA. Just use PHP to read it and act appropiately. // Doing another query is just WASTING resources for no useful purpose. //$active = $mysqli->query("SELECT * FROM dxd_membership WHERE email = '$email' AND active = 'YES'"); if ( $user['active'] == 'YES' ) { // Your processing here, you get the idea } } ?> / bind_param。这个例子只是为了遵循你使用MySQLi的风格。

相关问题
最新问题