Question

我目前有一个登录系统，我想从Mysqli转换为PDO。

我目前有一个网站，数据库中附加了phpMyAdmin / MySQL。

我试图转换所有内容，现在我将向您展示系统的LOGIN.php部分，因为我还没有接触过注册部分。

这就是我所拥有的。

LOGIN.INC.PHP

    <?php

require_once 'dbh.inc.php';

try {
    $handler = new PDO("mysql:host=$servername;dbname=$dbname",
    $username,
    $password,
    array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION));
  } catch(PDOException $e){
    echo $e->getName();
    die();
  }

//first we start a session
session_start();

//We then check if the user has clicked the login button
if (isset($_POST['submit'])) {

    //Then we require the database connection
    //require_once 'dbh.inc.php';
    //And we get the data from the login form
    $name = $_POST['name'];
    $password = $_POST['password'];

    //Error handlers
    //Error handlers are important to avoid any mistakes the user might have made when filling out the form!
    //Check if inputs are empty
    if (empty($name) || empty($password)) {
        header("Location: ../index.php?login=empty");
        exit();
    }   
    } else {
        $stmt = $db->prepare("SELECT * FROM users WHERE user_name=:name");
        $stmt->bindParam(':name', $name, PDO::PARAM_STR);

        if ($stmt->execute()) {
            header("location: ../index.php?login=error");
            exit();
        } else { 
            if ($row = $stmt->fetch(PDO::FETCH_ASSOC)) {
            //de-hashing the password
            $hashedpasswordCheck = password_verify($password, $row['user_password']);
            if ($hashedpasswordCheck == false) {
              header("location: ../index.php?login=error");
              exit();

            } elseif ($hashedpasswordCheck == true) {
                //Log in the user here
                $_SESSION['u_id'] = $row['user_id'];
                $_SESSION['u_name'] = $row['user_name'];
                header("location: ../index.php?login=success");
                exit();
              }
            } else {
                header("location: ../index.php?login=error");
                exit();
              }     
        }  
      }

DBH.INC.PHP

    <?php

$servername = "localhost";
$username = "root";
$password = "";
$dbname = "loginsystem";


try {
    $conn = new PDO("mysql:host=$servername;dbname=$dbname",
    $username,
    $password,
    array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION));

    $stmt = $conn->prepare("SHOW DATABASES;");

    $stmt->execute();
    $stmt->setFetchMode(PDO::FETCH_ASSOC);
    $result = $stmt->fetchAll();
    print_r($result);


}
catch(PDOException $e) {
    echo $e->getMessage();
}

$conn = null;

当我尝试登录时，我会重定向到该URL：

http://localhost/php44/includes/login.inc.php

并收到此打印的消息/错误。

Array（[0] => Array（[Database] => imgupload）[1] => Array（[Database] => information_schema）[2] => Array（[Database] => loginsystem）[3] =>阵列（[数据库] => mysql）[4] =>阵列（[数据库] => performance_schema）[5] =>阵列（[数据库] => phpmyadmin）[6] =>阵列（[数据库] = >测试））

我应该怎么做才能解决此问题，以便登录成功？

Answer 1

您的代码容易受到 HTML元素注入和会话固定攻击的攻击。我实现了strip_tags()来防止html元素注入攻击，并且还实现了session_regenerate_id();来防止会话固定攻击。

再次登录，您只需在验证用户名和密码后就初始化会话。

对于我来说，我更喜欢使用PDO数组方法。无论如何，我提供了两种解决方案。我首先处理您的代码，然后进行适当的修改。确保数据库凭据还可以

您的代码

<?php

//db connect starts
$db = new PDO (
    'mysql:host=localhost;dbname=loginsystem;charset=utf8', 
    'root', // username

    '' // password
);



//We then check if the user has clicked the login button
if (isset($_POST['submit'])) {
    $name = $_POST['name'];
    $password = $_POST['password'];

    if ($name =='' && $password =='') {
        header("Location: ../index.php?login=empty");
        exit();
    } 


        $stmt = $db->prepare("SELECT * FROM users WHERE user_name=:name");
        $stmt->bindParam(':name', $name, PDO::PARAM_STR);
        $stmt->execute();

$count = $stmt->rowCount();
if( $count == 1 ) {
$row = $stmt->fetch();
if(password_verify($password,$row['password'])){
            echo "Password verified and ok";

// initialize session if things where ok.
session_start();

//Prevent session fixation attack
session_regenerate_id();

$_SESSION['u_id'] = $row['user_id'];
$_SESSION['u_name'] = $row['user_name'];
header("location: ../index.php?login=success");
exit();


        }
        else{
            echo "Wrong Password details";
        }
}
else {

echo "User does not exist";
}
}
?>

我的代码

<?php

//if (isset($_POST['submit'])) {
if ($_POST['name'] !='' && $_POST['password']) {

//connect 
$db = new PDO (
    'mysql:host=localhost;dbname=loginsystem;charset=utf8', 
    'root', // username

    '' // password
);

$name = strip_tags($_POST['name']);
$password = strip_tags($_POST['password']);

if ($name == ''){
echo "Username is empty";
exit();
}
if ($password == ''){
echo "password is empty";
exit();
}

$result = $db->prepare('SELECT * FROM users where user_name = :name');
        $result->execute(array(
            ':user_name' => $name));
$count = $result->rowCount();
if( $count == 1 ) {
$row = $result->fetch();

  if(password_verify($password,$row['password'])){
            echo "Password verified and ok";

// initialize session if things where ok.
session_start();

//Prevent session fixation attack
session_regenerate_id();

$_SESSION['u_id'] = $row['user_id'];
$_SESSION['u_name'] = $row['user_name'];
header("location: ../index.php?login=success");
exit();


        }
        else{
            echo "Wrong Password details";
        }
}
else {

echo "User does not exist";
}

}

?>

Answer 2

我已经进行了一些修复，并添加了注释以解释发生了什么变化：

LOGIN.INC.PHP

<?php

//First we start a session
session_start();

//Then we require the database connection
require_once 'dbh.inc.php';

// Removed the extra database connection here.

//We then check if the user has clicked the login button
if (isset($_POST['submit'])) {

    //And we get the data from the login form
    $name = $_POST['name'];
    $password = $_POST['password'];

    //Error handlers
    //Error handlers are important to avoid any mistakes the user might have made when filling out the form!
    //Check if inputs are empty
    if (empty($name) || empty($password)) {
        header("Location: ../index.php?login=empty");
        exit();
    }   
//Removed extra 'else' here.
    $stmt = $conn->prepare("SELECT * FROM users WHERE user_name=:name");  // Changed $db to $conn to use the connection from DBH.INC.PHP
    $stmt->bindParam(':name', $name, PDO::PARAM_STR);

    if (!$stmt->execute()) {   // Added the ! to say "if this doesn't work, redirect to error"
        header("location: ../index.php?login=error");
        exit();
    } else { 
        if ($row = $stmt->fetch(PDO::FETCH_ASSOC)) {
            //de-hashing the password
            $hashedpasswordCheck = password_verify($password, $row['user_password']);
            if ($hashedpasswordCheck == false) {
                header("location: ../index.php?login=error");
                exit();
            } else if ($hashedpasswordCheck == true) {
                //Log in the user here
                $_SESSION['u_id'] = $row['user_id'];
                $_SESSION['u_name'] = $row['user_name'];
                header("location: ../index.php?login=success");
                exit();
            }
        } else {
        header("location: ../index.php?login=error");
        exit();
        }     
    }  
}

DB.INC.PHP

<?php
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "loginsystem";

try {
    $conn = new PDO("mysql:host=$servername;dbname=$dbname",
    $username,
    $password,
    array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION));

    // Removed the query and print of the databases

  }
catch(PDOException $e) {
    echo $e->getMessage();
}
// Removed the $conn=null to keep the connection we just set up.

PDO读取数据库，但不登录系统

2 个答案: