我正在尝试创建一个登录/注册系统(与索引在同一页面上,使用z-index)和注册if(function)完美地工作,因为我可以看到哈希密码完美地存储在数据库中,但是我在密码_验证字段中没有看到我出错的地方。同样为了我的用户的安全,$ db变量还有登录和localhost端口信息加星号。
if (session_status() == PHP_SESSION_NONE) {
session_start();
}
$db = mysqli_connect('localhost:****', '********_******M', 'W***********', '****logins');
if(isset($_POST['log'])) {
$username = mysqli_real_escape_string($db, $_POST['usr']);
$password = mysqli_real_escape_string($db, $_POST['pass']);
$errors = array();
if (empty($username)) {
array_push($errors, "Username is required");
}
if (empty($password)) {
array_push($errors, "Password is required");
}
if (count($errors) == 0) {
$user_check_query = "SELECT * FROM users WHERE username='$username'";
$result = mysqli_query($db, $user_check_query);
$user = mysqli_fetch_assoc($result);
if ($user) { // if user exists
if (password_verify($password, $user['password'])) {
$login = true;
$_SESSION['username'] = $username;
} else {
$login = false;
}
}
if (mysqli_num_rows($results) == 1) {
$_SESSION['username'] = $username;
$login = true;
}else {
array_push($errors, "Wrong username/password combination");
$login = false;
}
}
//MySQL compare info
} else if(isset($_POST['signup'])) {
$username = "";
$email = "";
$errors = array();
// connect to the database
// REGISTER USER
// receive all input values from the form
$username = mysqli_real_escape_string($db, $_POST['username']);
$email = mysqli_real_escape_string($db, $_POST['email']);
$password_1 = mysqli_real_escape_string($db, $_POST['password']);
$password_2 = mysqli_real_escape_string($db, $_POST['confirmpass']);
$bio = mysqli_real_escape_string($db, $_POST['bio']);
// form validation: ensure that the form is correctly filled ...
// by adding (array_push()) corresponding error unto $errors array
if (empty($username)) { array_push($errors, "Username is required"); }
if (empty($email)) { array_push($errors, "Email is required"); }
if (empty($password_1)) { array_push($errors, "Password is required"); }
if ($password_1 != $password_2) {
array_push($errors, "The two passwords do not match");
}
// first check the database to make sure
// a user does not already exist with the same username and/or email
$user_check_query = "SELECT * FROM users WHERE username='$username' OR email='$email' LIMIT 1";
$result = mysqli_query($db, $user_check_query);
$user = mysqli_fetch_assoc($result);
if ($user) { // if user exists
if ($user['username'] === $username) {
array_push($errors, "Username already exists");
}
if ($user['email'] === $email) {
array_push($errors, "email already exists");
}
$login = false;
}
// Finally, register user if there are no errors in the form
if (count($errors) == 0) {
$password = password_hash($password_1, PASSWORD_DEFAULT);//encrypt the password before saving in the database
$query = "INSERT INTO users (username, email, password, bio)
VALUES('$username', '$email', '$password', '$bio')";
mysqli_query($db, $query);
$_SESSION['username'] = $username;
$_SESSION['bio'] = $bio;
} else if(isset($_SESSION['active'])) {
$username = $_SESSION['username'];
} else {
$username = "Guest";
}
if($login === false) {
$username = "Guest";
}
编辑:我的HTML如下。
<html>
<head>
<link href="global.css" rel="stylesheet" />
<title>Matrix-Hub</title>
</head>
<body>
<!-- Soon to be login/signup page goes here -->
<div id="login">
<form class="login" method="post" action="" name="login" id='log'>
<p>Username:</p>
<input type="text" name="usr" placeholder="username" />
<p>Password:</p>
<input type="password" name="pass" placeholder="password" />
<br>
<input type="submit" name="log" value="Log In" />
<button type="button" onclick="switchtoSign()">Sign Up</button>
</form>
<form class="login" style='display:none;' method="post" action="" name="sign" id="signup">
<p>Username:</p>
<input type="text" name="username" placeholder="username" />
<p>Password:</p>
<input type="password" name="password" placeholder="Password" />
<p>Confirm Password:</p>
<input type="password" name="confirmpass" placeholder="Confirm" />
<p>Email:</p>
<input type="text" name="email" placeholder="Email..." />
<p>Bio:</p>
<textarea name="bio" placeholder="optional"></textarea>
<input type="submit" name="signup" value="Sign Up" />
</form>
</div>
<!-- Header -->
<header class="main">
<h1>Matrix-Hub: Home</h1>
<nav>
<center>
<ul>
<li><a class="active" href="index.php">Home</a></li>
<li><a href="stylesheets.php">Stylesheets</a></li>
</ul>
</center>
</nav>
</header>
<!-- Body - document - About - Other -->
<div class="net">
<center>
<div class="document">
<h1>About Matrix-Hub</h1>
<h2>Stylesheets and More!</h2>
<p>Matrix-Hub is a website, made by InsaneMatrix, for you to download
, and soon post your own stylesheets. Currently sign-up and login systems
are under development</p>
</div>
<div class="menu">
<button class="item" onclick="document.getElementById('login').style.display='block'" type="button">
Login / Signup
</button>
<a class="item" href="profile.php?username=<?php echo $username ?>">Profile: <?php echo $username; ?></a>
<a class="item" href="styles/vintage/Vintage.html">Vintage - Style Sheet</a>
</div>
</center>
</div>
<div class="users">
<h2>There are other people who love web design! You can check out their profiles too!</h2>
</div>
<script>
function switchtoSign() {
document.getElementById('log').style.display='none';
document.getElementById('signup').style.display='block';
}
</script>
</body>
</html>
答案 0 :(得分:0)
(这应该是评论,但有点长)
快速浏览一下代码,您似乎在成功登录后应用了注册过程 - 但我真的无法仔细检查所有密切关注的代码。你不会为计算机编写代码来理解你编写它以供人们理解 - 这需要分解为离散操作(作为函数或方法)。
阻止开始if (mysqli_num_rows($results) == 1) {似乎允许任何人验证提供的密码无效的有效电子邮件,覆盖password_verify操作的结果。
在创建用户时,使用mysqli_real_escape_string将转义为后,将密码应用于密码。如果在验证密码时遇到相同的错误,这似乎有效 - 但仍然是错误的。 哈希后应用转义。
将代码拆分为不同的问题:
$login=false;
$errors=array();
if ($_POST['log']) {
check_username_and_password($username, $password, $errors);
} else if ($_POST['signup']) {
create_account($username, $pass1, $pass2, $errors);
}
if (count($errors)) {
display_errors($errors);
exit;
} else {
$_SESSION['username'] = $username;
$login = true;
}
function check_username_and_password($username, $password, &$errors)
{
...
在提出问题时,请描述您当前的实施情况如何/无法满足您的期望。
答案 1 :(得分:0)
行if (mysqli_num_rows($results) == 1) {永远不会真实,因为永远不会定义变量$results。因此,即使使用有效密码,您的代码也属于}else{语句,$login变为false。
尝试将if (mysqli_num_rows($results) == 1) {换成if( $login ){。
顺便说一下,你的代码很难阅读;你应该稍微复习一下。
答案 2 :(得分:0)
首先,忘记mysqli_real_escape_string并改为使用预备语句。
$username = $_POST['usr'];
$password = $_POST['pass'];
另外,我不明白为什么人们使用函数array_push而不是使用直接语法。它的执行速度更快,写入更短:
if (empty($username)) {
$errors[] = "Username is required";
}
现在准备好的陈述:
if ($stmt = mysqli_prepare($link, "SELECT * FROM users WHERE username= ?")) {
mysqli_stmt_bind_param($stmt, "s", $username);
if(!mysqli_stmt_execute($stmt)){
die("Oooh nohhh, something happened to mysql query but I never would have found out if I didn't have this message because I failed checking the output of mysqli_query()");
}
}
您的SQL注入会自动解决。
现在针对您的问题,应该直接从用户生成密码哈希。你正在逃避它,完全错误的做法。保留用户输入密码并将其哈希并存储。并且 VERIFY 具有相同的非转义值。
然后是这段代码:
if (mysqli_num_rows($results) == 1) {
我们在讨论什么$results?它从未定义过。所以这总会导致错误的登录。
您还希望通过此代码获得什么回报?
$user['username'] === $username
您是否期望布尔值?显然它会返回一个字符串,没有必要使用===运算符。
我认为代码有点脆弱,修复SQL代码并使用预处理语句。其余的似乎很好。