重定向不工作PHP

时间:2017-08-16 07:49:46

标签: php mysql

crudindex.php中,如果有任何用户使用admin和密码admix登录,请回显一些信息并重定向到crudview.php。 这里的问题是任何点击登录按钮重定向到crudview.php的用户。

要求:对于管理员用户,它将重定向到crudview和其他人crudeditusr.php

2)我是否需要重新生成会话ID并将登录页面的代码也放入?

3)我可以将密钥更改为任何数字?

<?php
$con = mysqli_connect("127.0.0.1", "kkits996_ganesh", "", "kkits996_testmysql")  or die("Error " . mysqli_error($con));

// Declare array for errors
$error=array();    
//-----------------------------------------------------//
//---------------------CSRF PROTECT--------------------//
//-----------------------------------------------------//

//generate a token/
function generateToken( $formName )
{   
    //secret_key change it
   $secretKey ='?@GEskki58668445744!Erpoejsj48';
   if ( !session_id() ) 
   {
       session_start();
   }
   $sessionId = session_id();
   return hash('sha512', $formName.$sessionId.$secretKey );
}

//check if the token is valid
function checkToken( $token, $formName)
{
   return $token === generateToken( $formName );
}

//Separate REGISTER AND LOGIN TO NOT BE CONFUSED//

//-----------------------------------------------------//
//---------------------REGISTRATION--------------------//
//-----------------------------------------------------//
if ( isset($_POST['register']) && checkToken( $_POST['csrf_token'], 'userFromRegistration' )  ) 
{
    //if the username required
    if(!preg_match('/^[A-Za-z0-9]+$/',$_POST['uname']))
    {
         $error['username'] = "Username must have alphanumeric characters ";
    }

    //if password has less than 6 characters
    if(strlen($_POST['pwd']) < 6)
    {
         $error['password'] = "Password must be minimum of 6 characters";
    }

    //if password does not match
   if($_POST['pwd'] !== $_POST['cpwd'] OR empty($_POST['cpwd']) ) 
   {
         $error['passwordmatch'] = "Password and Confirm Password doesn't match";
   }

    //if empty error array
    if( !array_filter($error) )
    {
         //trim data
         $username = trim( $_POST['uname'] );

         // Hash you password, never save PASSWORD AS PLAIN TEXT!!!!!!!
         // MYSQL! : Allow your storage to expand past 60 characters (VARCHAR 255 would be good)
         $password = password_hash( $_POST['pwd'], PASSWORD_DEFAULT);

         //if the id is autoincremented leave id
         //----------USE PREPARED STATEMENT FOR SQL INJECTION---//

         $query = 'INSERT INTO cruduser (username, password) VALUES (?,?)';
         $stmt = $con->prepare($query);
         $stmt->bind_param("ss", $username, $password);
         $stmt->execute();
         $stmt->close();
         $con->close();

         //Redirect because we need to consider the post request from crudadd.php
         header( 'Location: crudaddusr.php' ) ;
     }
}

//-----------------------------------------------------//



//------------------------LOGIN as admin---------------------//

if ( isset($_POST['login'])) 
{
    if ($_POST['uname']="admin" && $_POST['pwd']="adminx")
    {
        echo $_POST['uname'];
        echo $_POST['pwd'];    
        $con->close();
        header ("Location: crudview.php");
  }
}

//------------------------LOGIN as Normal-----------------------//

if ( isset($_POST['login']) && checkToken( $_POST['csrf_token'], 'userFromRegistration' )  ) 
{
    //if the username required
    if(!preg_match('/^[A-Za-z0-9]+$/',$_POST['uname']))
    {
         $error['username'] = "Username must have alphanumeric characters ";
    }

    //if password has less than 6 characters
    if(strlen($_POST['pwd']) < 6)
    {
         $error['password'] = "Password must be minimum of 6 characters";
    }

    //if password does not match
   if($_POST['pwd'] !== $_POST['cpwd'] OR empty($_POST['cpwd']) ) 
   {
         $error['passwordmatch'] = "Password and Confirm Password doesn't match";
   }

    //if empty error array
    if( !array_filter($error) )
    {
         //trim data
         $uname = trim( $_POST['uname'] );

         // Hash you password, never save PASSWORD AS PLAIN TEXT!!!!!!!
         // MYSQL! : Allow your storage to expand past 60 characters (VARCHAR 255 would be good)
         //$pwd = password_hash( $_POST['pwd'], PASSWORD_DEFAULT);
         $pwd = $_POST['pwd'];

         $con->close();

         //Redirect because we need to consider the post request from crudadd.php
           header("Location: crudeditusr.php?suname=".$uname."&spwd=".$pwd); 


//         header( "Location: crudeditusr.php?suname=$uname&spwd=$pwd");
     }
}
//-----------------------------------------------------//
//if (isset($_POST['login']))
//{
     //what ever you want
     //Use password_verify() and session_regenerate_id() 
     //to compare passwords and to generate a session id to prevent session fixation.

//} 
//?>

<!--HTMl PART-->
<!DOCTYPE html>
<html>
    <head>
        <title>"Login Registration"</title>
        <!-- bootstrap link is downloaded from bootstrapcdn.com for css and js -->
        <!-- col-mod-6 col-mod-offset are bootstrap related-->
        <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css">
        <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>
    </head>
    <body>
    <div class="container"> 
        <div class="row">
            <form method="post" action="" class="form-horizontal col-mod-6 col-mod-offset-3">
            <input type="hidden" name="csrf_token" value="<?php echo generateToken('userFromRegistration'); ?>" required/>
            <h2>Login Registration</h2>
            <div class="form-group">
                <label for="input" class="col-sm-2 control-label">Username : </label>
                <div class="col-sm-10 <?php if( !empty( $error['username'] ) ){ echo 'has-error';}  ?> ">
                    <input type="text" name="uname" class="form-control" id="input1" placeholder="Username"/>
                    <span class="help-block"><?php if (!empty($error['username'])) echo $error['username'];?></span>
                </div>
            </div>
            <div class="form-group">
                <label for="input" class="col-sm-2 control-label">Password: </label>
                <div class="col-sm-10 <?php if( !empty( $error['password'] ) ){ echo 'has-error';}  ?>">
                    <input type="password" name="pwd"  class="form-control" id="input1" placeholder="Password"/>
                    <span class="help-block"><?php if (!empty($error['password'])) echo $error['password'];?></span>
                </div>
            </div>
            <div class="form-group">
                <label for="input" class="col-sm-2 control-label">Confirm Password : </label>
                <div class="col-sm-10 <?php if( !empty( $error['passwordmatch'] ) ){ echo 'has-error';}  ?>">
                    <input type="password" name="cpwd" class="form-control" id="input1" placeholder="Confirm Password"/>
                    <span class="help-block"><?php if (!empty($error['passwordmatch'])) echo $error['passwordmatch'];?></span>
                </div>
            </div>
            <div class="row">

                <div class="col-mod-6 col-mod-offset-3">
                   <button id="submit1" name="register" class="btn btn-primary pull-right">Register</button>
                   <button id="submit2" name="login" class="btn btn-secondary pull-right">Login</button>
               </div>
           </div>
       </form>
   </body>
</html>

1 个答案:

答案 0 :(得分:1)

此表单甚至无法发布,因为提交按钮不是type="Submit"

此外,您需要检查一下,以便在点击login或点击register时区分操作。

您的表单似乎是一种注册形式。在表单标记中添加$_SERVER["PHP_SELF"]操作。现在,改变

 <button id="submit1" type='submit' name="register" class="btn btn-primary pull-right">
 Register </button>

这会将表单数据发布在同一页面上,并且您的支票register检查应该有效。