在crudindex.php中,如果有任何用户使用admin和密码admix登录,请回显一些信息并重定向到crudview.php。
这里的问题是任何点击登录按钮重定向到crudview.php的用户。
要求:对于管理员用户,它将重定向到crudview和其他人crudeditusr.php
2)我是否需要重新生成会话ID并将登录页面的代码也放入?
3)我可以将密钥更改为任何数字?
<?php
$con = mysqli_connect("127.0.0.1", "kkits996_ganesh", "", "kkits996_testmysql") or die("Error " . mysqli_error($con));
// Declare array for errors
$error=array();
//-----------------------------------------------------//
//---------------------CSRF PROTECT--------------------//
//-----------------------------------------------------//
//generate a token/
function generateToken( $formName )
{
//secret_key change it
$secretKey ='?@GEskki58668445744!Erpoejsj48';
if ( !session_id() )
{
session_start();
}
$sessionId = session_id();
return hash('sha512', $formName.$sessionId.$secretKey );
}
//check if the token is valid
function checkToken( $token, $formName)
{
return $token === generateToken( $formName );
}
//Separate REGISTER AND LOGIN TO NOT BE CONFUSED//
//-----------------------------------------------------//
//---------------------REGISTRATION--------------------//
//-----------------------------------------------------//
if ( isset($_POST['register']) && checkToken( $_POST['csrf_token'], 'userFromRegistration' ) )
{
//if the username required
if(!preg_match('/^[A-Za-z0-9]+$/',$_POST['uname']))
{
$error['username'] = "Username must have alphanumeric characters ";
}
//if password has less than 6 characters
if(strlen($_POST['pwd']) < 6)
{
$error['password'] = "Password must be minimum of 6 characters";
}
//if password does not match
if($_POST['pwd'] !== $_POST['cpwd'] OR empty($_POST['cpwd']) )
{
$error['passwordmatch'] = "Password and Confirm Password doesn't match";
}
//if empty error array
if( !array_filter($error) )
{
//trim data
$username = trim( $_POST['uname'] );
// Hash you password, never save PASSWORD AS PLAIN TEXT!!!!!!!
// MYSQL! : Allow your storage to expand past 60 characters (VARCHAR 255 would be good)
$password = password_hash( $_POST['pwd'], PASSWORD_DEFAULT);
//if the id is autoincremented leave id
//----------USE PREPARED STATEMENT FOR SQL INJECTION---//
$query = 'INSERT INTO cruduser (username, password) VALUES (?,?)';
$stmt = $con->prepare($query);
$stmt->bind_param("ss", $username, $password);
$stmt->execute();
$stmt->close();
$con->close();
//Redirect because we need to consider the post request from crudadd.php
header( 'Location: crudaddusr.php' ) ;
}
}
//-----------------------------------------------------//
//------------------------LOGIN as admin---------------------//
if ( isset($_POST['login']))
{
if ($_POST['uname']="admin" && $_POST['pwd']="adminx")
{
echo $_POST['uname'];
echo $_POST['pwd'];
$con->close();
header ("Location: crudview.php");
}
}
//------------------------LOGIN as Normal-----------------------//
if ( isset($_POST['login']) && checkToken( $_POST['csrf_token'], 'userFromRegistration' ) )
{
//if the username required
if(!preg_match('/^[A-Za-z0-9]+$/',$_POST['uname']))
{
$error['username'] = "Username must have alphanumeric characters ";
}
//if password has less than 6 characters
if(strlen($_POST['pwd']) < 6)
{
$error['password'] = "Password must be minimum of 6 characters";
}
//if password does not match
if($_POST['pwd'] !== $_POST['cpwd'] OR empty($_POST['cpwd']) )
{
$error['passwordmatch'] = "Password and Confirm Password doesn't match";
}
//if empty error array
if( !array_filter($error) )
{
//trim data
$uname = trim( $_POST['uname'] );
// Hash you password, never save PASSWORD AS PLAIN TEXT!!!!!!!
// MYSQL! : Allow your storage to expand past 60 characters (VARCHAR 255 would be good)
//$pwd = password_hash( $_POST['pwd'], PASSWORD_DEFAULT);
$pwd = $_POST['pwd'];
$con->close();
//Redirect because we need to consider the post request from crudadd.php
header("Location: crudeditusr.php?suname=".$uname."&spwd=".$pwd);
// header( "Location: crudeditusr.php?suname=$uname&spwd=$pwd");
}
}
//-----------------------------------------------------//
//if (isset($_POST['login']))
//{
//what ever you want
//Use password_verify() and session_regenerate_id()
//to compare passwords and to generate a session id to prevent session fixation.
//}
//?>
<!--HTMl PART-->
<!DOCTYPE html>
<html>
<head>
<title>"Login Registration"</title>
<!-- bootstrap link is downloaded from bootstrapcdn.com for css and js -->
<!-- col-mod-6 col-mod-offset are bootstrap related-->
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css">
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>
</head>
<body>
<div class="container">
<div class="row">
<form method="post" action="" class="form-horizontal col-mod-6 col-mod-offset-3">
<input type="hidden" name="csrf_token" value="<?php echo generateToken('userFromRegistration'); ?>" required/>
<h2>Login Registration</h2>
<div class="form-group">
<label for="input" class="col-sm-2 control-label">Username : </label>
<div class="col-sm-10 <?php if( !empty( $error['username'] ) ){ echo 'has-error';} ?> ">
<input type="text" name="uname" class="form-control" id="input1" placeholder="Username"/>
<span class="help-block"><?php if (!empty($error['username'])) echo $error['username'];?></span>
</div>
</div>
<div class="form-group">
<label for="input" class="col-sm-2 control-label">Password: </label>
<div class="col-sm-10 <?php if( !empty( $error['password'] ) ){ echo 'has-error';} ?>">
<input type="password" name="pwd" class="form-control" id="input1" placeholder="Password"/>
<span class="help-block"><?php if (!empty($error['password'])) echo $error['password'];?></span>
</div>
</div>
<div class="form-group">
<label for="input" class="col-sm-2 control-label">Confirm Password : </label>
<div class="col-sm-10 <?php if( !empty( $error['passwordmatch'] ) ){ echo 'has-error';} ?>">
<input type="password" name="cpwd" class="form-control" id="input1" placeholder="Confirm Password"/>
<span class="help-block"><?php if (!empty($error['passwordmatch'])) echo $error['passwordmatch'];?></span>
</div>
</div>
<div class="row">
<div class="col-mod-6 col-mod-offset-3">
<button id="submit1" name="register" class="btn btn-primary pull-right">Register</button>
<button id="submit2" name="login" class="btn btn-secondary pull-right">Login</button>
</div>
</div>
</form>
</body>
</html>
答案 0 :(得分:1)
此表单甚至无法发布,因为提交按钮不是type="Submit"。
此外,您需要检查一下,以便在点击login或点击register时区分操作。
您的表单似乎是一种注册形式。在表单标记中添加$_SERVER["PHP_SELF"]操作。现在,改变
<button id="submit1" type='submit' name="register" class="btn btn-primary pull-right">
Register </button>
这会将表单数据发布在同一页面上,并且您的支票register检查应该有效。