所以我有遵循一段指导创建的这段代码,
<?php
session_start();
if (isset($_POST['submit'])) {
include 'db.conf.php';
$uid = mysqli_real_escape_string($conn, $_POST['uid']);
$pwd = mysqli_real_escape_string($conn, $_POST['pwd']);
$_SESSION['uid'] = $uid;
//Error handleri
//Check jesu inputi empty
if (empty($uid) || empty($pwd))
{
header("Location: ../index.php?login=empty");
exit();
}
else
{
$sql = "SELECT * FROM users WHERE user_uid = '$uid' OR user_email = '$uid'";
$result = mysqli_query($conn, $sql);
$resultCheck = mysqli_num_rows($result);
if ($resultCheck < 1)
{
header("Location: ../index.php?login=usernamenepostoji");
exit();
}
else
{
if ($row = mysqli_fetch_assoc($result)) {
//Dehashiranje
$hashedPwdCheck = password_verify($pwd, $row['user_pwd']);
if ($hashedPwdCheck == false) {
header("Location: ../index.php?login=invalidpass");
exit();
}
elseif ($hashedPwdCheck == true)
{
//Logiranje
$_SESSION['u_id'] = $row['user_id'];
$_SESSION['u_first'] = $row['user_first'];
$_SESSION['u_last'] = $row['user_last'];
$_SESSION['u_email'] = $row['user_email'];
$_SESSION['u_uid'] = $row['user_uid'];
header("Location: ../index.php?login=success");
exit();
}
}
}
}
}
else
{
header("Location: ../index.php?login=error");
exit();
}
?>
只是简单的错误处理和登录即可。我理解它,并希望再加上一点。
<?php
session_start();
include 'db.conf.php';
class Login
{
public $username;
public $password;
function __construct()
{
$this->username = $_POST['uid'];
$this->password = $_POST['pwd'];
$this->checkinputs();
}
function checkinputs()
{
if (empty($this->username) || empty($this->password))
{
header("Location: ../index.php?login=empty");
exit();
}
else
{
$username = $this->username;
$sql = "SELECT * FROM users WHERE user_uid =".$username;
$result = mysqli_query($conn, $sql);
$resultCheck = mysqli_num_rows($result);
if ($resultCheck < 1)
{
header("Location: ../index.php?login=usernamenepostoji");
exit();
}
else
{
if ($row = mysqli_fetch_assoc($result)) {
//Dehashiranje
$hashedPwdCheck = password_verify($pwd, $row['user_pwd']);
if ($hashedPwdCheck == false) {
header("Location: ../index.php?login=invalidpass");
exit();
}
elseif ($hashedPwdCheck == true)
{
//Logiranje
$_SESSION['u_id'] = $row['user_id'];
$_SESSION['u_first'] = $row['user_first'];
$_SESSION['u_last'] = $row['user_last'];
$_SESSION['u_email'] = $row['user_email'];
$_SESSION['u_uid'] = $row['user_uid'];
header("Location: ../index.php?login=success");
exit();
}
}
}
}
}
}
?>
这就是我得到的,它实际上是相同的代码,只是使用函数和其他东西将其“分离”成块。没用我一直卡在if $ resultCheck <1标头上,这意味着用户名不存在。虽然我确定是可以的,因为数据库中没有任何变化。因此,它使我想到了它的$ conn,它只是没有连接到数据库。我已经将$ username变量转储到文件中,以检查它是否有效。我只是不知道如何进行。
答案 0 :(得分:1)
$conn在方法checkinputs()中不存在。
将其设置为全局:
function checkinputs()
{
global $conn;
...
}
我不推荐(因为using globals is disencouraged)。
或将其传递到Login::_construct()并将其设置为$this->conn(然后将其用作$this->conn:$result = mysqli_query($this->conn, $sql);):
function __construct($conn)
{
$this->conn = $conn; // maybe also check if you have a valid connection!
$this->username = $_POST['uid'];
$this->password = $_POST['pwd'];
$this->checkinputs();
}
function checkinputs()
{
// no global now!
....
$result = mysqli_query($this->conn, $sql);
....
}
但是:请切换到prepared stements。此代码容易受到sql注入的攻击!