我无法使用password_hash登录。我想尝试加密密码以提高安全性。首先,在登录页面中,将检查用户角色。如果为true,它将重定向到页面区域,后跟级别ID。在add-user.php中,用于管理员通过表单添加用户。有人可以帮助我,我是php和mysqli languange的新手。
LOGIN.PHP
<?
include("connection.php");
if ( !isset($_POST['user_name'], $_POST['user_pass']) ) {
// Could not get the data that should have been sent.
die ('Please fill both the username and password field!');
}
if ($stmt = $conn->prepare('SELECT user_id, user_pass, level_id, user_fullname FROM users WHERE user_name = ? AND user_status="active" LIMIT 1')) {
// Bind parameters (s = string, i = int, b = blob, etc), in our case the username is a string so we use "s"
$stmt->bind_param('s', $_POST['user_name']);
$stmt->execute();
// Store the result so we can check if the account exists in the database.
$stmt->store_result();
}
$user_pass = $_POST['user_pass'];
$hashedpwd = password_hash($user_pass, PASSWORD_DEFAULT);
if ($stmt->num_rows > 0) {
$stmt->bind_result($user_id, $user_pass, $level_id, $user_fullname);
$stmt->fetch();
// Account exists, now we verify the password.
// Note: remember to use password_hash in your registration file to store the hashed passwords.
if ($_POST['user_pass'] === $hashedpwd) {
// Verification success! User has loggedin!
// Create sessions so we know the user is logged in, they basically act like cookies but remember the data on the server.
if($level_id == '1'){
session_regenerate_id();
$_SESSION['loggedin'] = TRUE;
$_SESSION['user_name'] = $_POST['user_name'];
$_SESSION['user_id'] = $user_id;
$_SESSION['level_id'] = $level_id;
$_SESSION['user_fullname'] = $user_fullname;
header("location:../dashboard/admin/index");
}
if($level_id == '2'){
session_regenerate_id();
$_SESSION['loggedin'] = TRUE;
$_SESSION['user_name'] = $_POST['user_name'];
$_SESSION['user_id'] = $user_id;
$_SESSION['level_id'] = $level_id;
header("location:../dashboard/manager/index");
}
if($level_id == '3'){
session_regenerate_id();
$_SESSION['loggedin'] = TRUE;
$_SESSION['user_name'] = $_POST['user_name'];
$_SESSION['user_id'] = $user_id;
$_SESSION['level_id'] = $level_id;
header("location:../dashboard/customer/index");
}
}
else {
header("location: ../login?alert_wrong_pass=failed");
}
} else {
header("location: ../login?alert_wrong_pass=failed");
}
$stmt->close();
?>
ADD-USER.PHP
<!DOCTYPE html>
<html>
<head>
<?php
include("../../functions/connection.php");
//
session_start();
if($_SESSION["level_id"] !='1') {
header("location: ../../index");
exit();
}
//header
include("header.php");
//insert data
if (isset($_POST['submit']) ){
$level_id = $_POST['level_id'];
$user_name = $_POST['user_name'];
$user_pass = $_POST['user_pass'];
$hashedpwd = password_hash($user_pass, PASSWORD_DEFAULT);
$user_fullname = $_POST['user_fullname'];
$user_email = $_POST['user_email'];
$addUser = $conn->prepare('INSERT INTO users (level_id, user_name, user_pass, user_fullname, user_email )VALUES (?, ?, ?, ?, ?)');
// hubungkan data dengan variabel (bind)
$addUser->bind_param('issss', $level_id, $user_name, $hashedpwd, $user_fullname, $user_email);
if($addUser->execute()){
print 'Successfully inserted';
}else{
die('Error : ('. $db->errno .') '. $db->error);
}
}
?>
</head>
<body>
<div id="wrapper">
<nav class="navbar-default navbar-static-side" role="navigation">
<? //left nav bar
include("left-nav-bar.php"); ?>
</nav>
<div id="page-wrapper" class="gray-bg">
<div class="row border-bottom">
<nav class="navbar navbar-static-top white-bg" role="navigation" style="margin-bottom: 0">
<? //top nav
include("top-nav.php");?>
</nav>
</div>
<div class="wrapper wrapper-content animated fadeIn">
<div class="p-w-md m-t-sm">
<div class="row">
<div class="col-lg-12">
<div class="ibox ">
<div class="ibox-title">
<h5>Add New Users <small>| Create a new user and add them to this site</small></h5>
</div>
<div class="ibox-content">
<form method="POST" action="">
<div class="form-group row"><label class="col-sm-2 col-form-label">Username <i>(required)</i></label>
<div class="col-sm-5"><input type="text" name="user_name" class="form-control"></div>
</div>
<div class="hr-line-dashed"></div>
<div class="form-group row"><label class="col-sm-2 col-form-label">Password <i>(required)</i></label>
<div class="col-sm-5"><input type="password" name="user_pass" class="form-control" name="password"></div>
</div>
<div class="hr-line-dashed"></div>
<div class="form-group row"><label class="col-lg-2 col-form-label">Email</label>
<div class="col-lg-5"><input type="email" name="user_email" class="form-control">
</div>
</div>
<div class="hr-line-dashed"></div>
<div class="form-group row"><label class="col-sm-2 col-form-label">Full Name</label>
<div class="col-sm-5"><input type="text" name="user_fullname" class="form-control"></div>
</div>
<div class="hr-line-dashed"></div>
<div class="form-group row"><label class="col-sm-2 col-form-label">Roles</label>
<div class="col-sm-5">
<?
$qSelect_db = "SELECT * FROM users_level";
$result = mysqli_query ($conn, $qSelect_db);
echo "<select class='form-control m-b' name='level_id'>";
while($select_roles=mysqli_fetch_array($result)){
//data stored in $drop
echo "<option value=$select_roles[level_id]>$select_roles[level_name]</option>";
}
echo "</select>";
// Close list box
?>
</select>
</div>
</div>
<div class="hr-line-dashed"></div>
<div class="form-group row"><label class="col-sm-2 col-form-label">Send User Notification <br/></label>
<div class="col-sm-10">
<div class="i-checks"><label> <input type="checkbox" value=""> Send the new user an email about their account.</label></div>
</div>
</div>
<div class="hr-line-dashed"></div>
<div class="form-group row">
<div class="col-sm-4 col-sm-offset-2">
<button class="btn btn-white btn-sm" type="submit">Cancel</button>
<button class="btn btn-primary btn-sm" input type="submit" value="submit" name="submit" id="submit" >Add user</button>
</div>
</div>
</form>
</div>
</div>
</div>
</div>
</div>
<div class="row">
<div class="col-lg-12">
<div class="ibox">
</div>
</div>
</div>
</div>
<div class="footer">
<? //footer
include("footer.php");
?>
</div>
</div>
<?
include("js-script.php");
?>
</body>
</html>
答案 0 :(得分:0)
您不能做Rails.application.routes.draw do
resources :locations
namespace :admin do
resources :users
resources :events
root to: "users#index"
end
resources :events
resources :locations
devise_for :users
end
。您必须使用password_verify
:
$_POST['user_pass'] === $hashedpwd
这是因为根据设计,if (password_verify($_POST['user_pass'], hashedpwd)) {
....
}
每次针对完全相同的密码都会返回不同的哈希值。这样就无法像使用查找表一样基于哈希值猜测密码。