如何正确验证登录请求?

时间:2018-03-04 08:52:05

标签: php mysql


我在PHP和MySQL中编写了一个登录页面的代码。我写的代码如下 logintest.php 

<?php 
session_start(); 
require_once('csrf.php');
?>

<?php
//session_start();
require_once('connect.php');
$csrf = new csrf();

// Generate Token Id and Valid
$token_id = $csrf->get_token_id();
$token_value = $csrf->get_token($token_id);

// Generate Random Form Names
$form_names = $csrf->form_names(array('email', 'password'), false);

if(isset($_POST[$form_names['email']], $_POST[$form_names['password']])) {
    // Check if token id and token value are valid.
    if($csrf->check_valid('post')) {
        // Get the Form Variables.
        $email = $_POST[$form_names['email']];
        $password = $_POST[$form_names['password']];

        // Form Function Goes Here
    }
    // Regenerate a new random value for the form.
    $form_names = $csrf->form_names(array('email', 'password'), true);
}

if(isset($_POST) && !empty($_POST)) {
    if(!isset($email) || empty($email)) {
        $error[] = "email is required";
    }
    if(empty($email) && empty($password)) {
        die("Please Enter your email and Password");
    }
    if(empty($email)) {
        die("Please Enter your E-mail");
    }
    if(empty($password)) {
        die("Please Fill in the password field");
    }
    if(!isset($password) || empty($password)) {
        $error[] = "password is required";
    }
    if(!isset($error) || empty($error)) {
        $sql = "SELECT email, password FROM loginsystem WHERE email = ? AND password = ?";

        if($stmt = $connection->prepare("$sql")) {
            $bound_params = $stmt->bind_param("ss", $email, $password);
            $execute = $stmt->execute();
            $storeResult = $stmt->store_result();
            $rows = $stmt->num_rows();
        } else {
            "";
        }

        if($rows === 1) {
            $_SESSION['email'] = $email;
            header("location: home.php"); //redirects to home.php if everything's okay. 
        } else {
            echo "Sorry $email, Wrong email & Password combination";
        }
        $stmt->close();
    }
    $connection->close();
}
?>
<html>
    <head>
        <title>Login System Test</title>
        <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" >
    </head>
<body>
    <div class="container">
        <div class="row">
            <form class="" method="post" >
                <div class="form-group">
                    <input type="hidden" name="<?= $token_id; ?>" value="<?= $token_value; ?>" />
                    <label for="form-element">Email</label>
                    <input type="text" name="<?= $form_names['email']; ?>" class="form-control" id="email" placeholder="Email">
                </div>
                <div class="form-group">
                    <label for="form-element">Password</label>
                    <input type="password" name="<?= $form_names['password']; ?>" class="form-control" id="password" placeholder="Password">
                </div>
                <button type="submit" class="btn btn-default">Submit</button>
            </form>
        </div>
    </div>
</body>
</html>

现在以下是我写的 home.php 的代码:

<?php 
session_start();
$email = $_SESSION['email'];
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
        <title>Untitled Document</title>
        <style type="text/css">
            <!--
            .style1 {
            font-size: 36px;
            font-weight: bold;
            }
            -->
        </style>
    </head>
    <body>
       <p><center>hello <?php echo $_SESSION['email'] ?></center></p>
        <p align="center"><a href="destroy.php">logout</a></p>
    </body>
</html>

现在原则上,我们被允许输入 home.php 文件,当且仅当我们提供正确的用户名和密码时,它也会在此处执行相同的操作。但问题是,如果我使用这个网址http://localhost/path/to/file/home.php转到home.php,我会遇到这种类型的屏幕:

home.php output screenshot

即使未通过 logintest.php 提供电子邮件或密码,也会分配会话ID并登录成功。它清楚地表明我错过了一些检查门,我可以避免发生那件事。
因此,为了避免这种情况,我想让我的代码重定向到 logintest.php ,如果有人试图直接访问 home.php 而不提供正确的凭据 logintest.php 文件。
我如何实现这一目标?我们将非常感谢您的早期帮助。
[P.S:我是PHP的新手,所以我经常陷入这样一种愚蠢的错误,一两天或整个星期都会毁了。]

2 个答案:

答案 0 :(得分:0)

创建一个名为session.php的页面并添加此代码

 <?php    
    // check if the session is avilable if not  go to login
$site = 'url address';// website address
if (!(isset($_SESSION['email']) && $_SESSION['email'] != '')) {

@header ("location: ".$site."login/");

}  
    // if you don't want any page redirection put this code to your page


 session_start();

            if (!(isset($_SESSION['email']) && $_SESSION['email'] != '')) {

            //echo 'please login'; // heady login page

            }else {

              //echo 'logged in'; // go to member page 



              // logged in
              // getting the logged in user - session

         if($_SESSION['email']){

              $welc = $_SESSION['email'].'';
            }



//echo 'Welcome user:'.$welc. '<br>';

        ?>

然后将页面调用到您希望成员访问的每个页面。你可以使用require。

然后获得活动会话。

 session_start();
if($_SESSION['email']){

              $welc = $_SESSION['email'].'';
            }

      //echo 'Welcome user:'.$welc. '<br>';

用此更新您的登录检查。我认为它会对你有所帮助

答案 1 :(得分:0)

通过设置会话变量并检查其在每个页面中的存在来完成。这很简单,它耗费了整整一周

相关问题
最新问题