我正忙于在我的网站上为其创建登录名,因此我陷入了这个问题: 使用正确或错误的密码登录仍然可以使我成功登录...
$sql = "SELECT *
FROM `players`
WHERE `username` = '" . $_POST['username']
. "' AND `password` = '" . sha1($_POST['password'])
. "' LIMIT 1";
$result = $mysqli->query($sql);
$get = $result->fetch_object();
if (empty($_POST['username']) || empty($_POST['password'])) {
$message = "You can't leave something blank...";
}
if (!$result) {
$message = "Nope, not that one...";
}
答案 0 :(得分:0)
如之前的评论中所述,您的脚本极易发生sql注入,这在处理密码时尤其危险。
请阅读:Prepared statements and stored procedures
我将为您提供用于注册和登录的工作代码。希望这对您的需求有所帮助。需要注意的几件事是,我使用AJAX / JSON在前端和后端之间来回传递一些数据,我将在下面对我的代码进行注释,以免混淆您。
<?php
// starts the session
session_start();
// call on db connection file to execute queries below
require 'dbconfig.php';
// register logic
if(isset($_POST['newusername']) && isset($_POST['newpassword'])) {
$query = $conn->prepare("SELECT username FROM users WHERE username = :username");
$query->bindValue(':username', $_POST['newusername']);
$query->execute();
$check = $query->fetch(PDO::FETCH_ASSOC);
$query->closeCursor();
// check if the username exists, if not then create the new user, else, send to front end and notify the user
if($check['username'] === $_POST['newusername']) {
header('Content-Type: application/json');
echo json_encode($check);
} else {
$query = $conn->prepare("INSERT INTO users (username, password) VALUES (:newuser, :newpassword)");
$query->bindValue(':newuser', $_POST['newusername']);
$query->bindValue(':newpassword', password_hash($_POST['newpassword'], PASSWORD_BCRYPT)); // using the prepared statements to prevent injection and optimizing PASSWORD_BCRYPT for passwords
if($query->execute()) {
// log to my log db
$registerLog = "New user was registered: " . $_POST['newusername'];
$query = $conn->prepare("INSERT INTO logs (website, entry) VALUES ('contacts', :entry)");
$query->bindValue(':entry', $registerLog);
$query->execute();
}
$query->closeCursor();
}
}
// login logic
if(isset($_POST['username']) && isset($_POST['password'])) {
$query = $conn->prepare("SELECT userid, username, password, pwreset, userlvl FROM users WHERE username = :username");
$query->bindValue(':username', $_POST['username']);
$query->execute();
$auth = $query->fetch(PDO::FETCH_ASSOC);
$query->closeCursor();
// check for username and verify the password
if(count($auth > 0) && password_verify($_POST['password'], $auth['password'])) {
// if successful, initiate $_SESSION variables
$_SESSION['userid'] = $auth['userid'];
$_SESSION['userlvl'] = $auth['userlvl'];
$_SESSION['username'] = $auth['username'];
$loginLog = "User: " . $_POST['username'] . " logged in.";
$query = $conn->prepare("INSERT INTO logs (website, entry) VALUES ('contacts', :entry)");
$query->bindValue(':entry', $loginLog);
$query->execute();
$query->closeCursor();
$redirect = true;
header('Content-Type: application/json');
echo json_encode($redirect);
exit;
} else {
// if username and/or password do not match or don't exist, destroy the session.
session_unset();
session_destroy();
exit;
}
}
?>
如果登录尝试失败,则必须取消设置并销毁会话,否则每次都会让您进入,因为脚本只会看到您已经设置了会话,除此之外,它是否真的失败并不重要,它将使用户进入。
我希望这会为您提供所需的答案。