0

我是php的菜鸟。我想用php创建一个简单的登录页面,这样如果你输入一个不在数据库中的昵称,它会告诉你这样的,否则它会告诉你密码不正确。我正在使用我的学校服务器,所以关于服务器的某些问题我可能无法回答。最重要的是,我没有使用 fopen() 的权限,所以它是 file_put_contents 。我什至不知道这是否会起作用,因为我还没有让它起作用。到目前为止,我有 login.php、check.php 和 numberconverter.php,这是一个帮助我将数字转换为字符串的函数。(在这种情况下,unix 时间)。我知道 numbercoverter.php 通过测试工作。

登录.php:

<?
define('__ROOT__',dirname(dirname(__FILE__)));
require_once(__ROOT__.'/shopsite/numberconverter.php');
echo "<!--root: ".__ROOT__."/shopsite/ -->\n";
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"                 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Login to the Shopsite</title>
<script type="text/css">
"error" {
background-color:#FF;
color:#FFFFFF;
}
</script>
<script type="text/javascript">
<?php
$nick="";
$i=false;
if(isset($_GLOBALS['file']))
{
$i=true;
$nick=file_get_contents("file.txt");
$nick=preg_split("^nick:",$nick);
}
else
{
$_GLOBALS['file']='file'.convert(time()).'.txt';
}
?>
functions error(i)
{
if(i)
{
    document.getElementById('error').innerHTML="Nick <?php echo $nick; ?> was not found. Try again or <a href=\"register.php\">register</a>";
}
else
{
    document.getElementById('error').innerHTML="Password incorrect. Try again or <a href=\"register.php\">register</a>";
}
}
//-->
</script>
</head>
<body <?php if($i) { echo "onload=\"error(".((strlen($nick[0])<0) ? 1 : 0).")\""; }?> >
<p id="error"></p>
<?php
$chk = time();
echo "File name: ".$_GLOBALS['file']."\n";
echo "unix time raw: ".$chk."\n";
echo "unix time converted: ".convert($chk)."\n";
?>
<form id="form" action="check.php" method="post">
<p>username: <input type="text" name="nick" id="nick" /></p>
<p>password: <input type="text" name="pass" id="pass" /></p>
<input type="submit" value="Log in"/>
</form>
</body>
</html>

检查.php:

<?php
$c = mysql_pconnect("localhost","hehe","hehe");
mysql_select_db("test",$c);
$r = mysql_query(sprintf("select * from UserTable where (nick=(\"%s\") AND   pass=SHA1(\"%s\"))",$_POST['nick'],$_POST['pass']),$c) or die("something wrong with mysql,1");
if(mysql_num_rows($r)==0)
{
$testn = mysql_query(sprintf("select * from UserTable where nick=(\"%s\")",$_POST['nick']),$c) or die("something wrong with mysql,2");
if(mysql_num_rows($testn)==0)
{
    //file_put_contents($_GLOBALS['file'],"nick:".$_POST['nick']);//
    file_put_contents('test.txt',"nick");
}
else
{
    //file_put_contents($_GLOBALS['file'],"pass");
    file_put_contents('test.txt',"pass");
}
mysql_close($c);
header("Location:http://cs4.sunyocc.edu/~j.d.dancks/shopsite/login.php");
}
else
{
mysql_close($c);
session_start();
$_SESSION['nick'] = $_POST['nick'];
$_SESSION['email'] = $_POST['email'];
}
?>
4

1 回答 1

0

好的。我想让球再次滚动,并获得人们的意见。我显然不能做 mysqli ,因为即使它是 4.3.2 我猜它没有安装或什么的。phpinfo:cs4.sunyocc.edu/~jddancks/info.php 无论如何,这是我尝试过的:

<?
session_start();
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Login to the Shopsite</title>
<script type="text/css">
"error" {
        background-color:#FF;
        color:#FFFFFF;
 }
 "attempts" {
        color:#FF;
 }
 </script>
 <script type="text/javascript">
 function errorfunc()
 {
        <?php
        if(isset($_SESSION['msg']))
        {
            echo "document.getElementById(\'error\').innerHTML=".$_SESSION['msg'];
        }
        if(isset($_SESSION['attempts']))
        {
            echo "document.getElementById(\'attempts\').innerHTML=".$_SESSION['attempts']."Of 5 login attempts used.";
        }
        ?>
}
//-->
</script>
</head>
<body onload="errorfunc()">
<?php 
        $ok = true;
        if(isset($_SESSION['attempts']))
        {
            if($_SESSION['attempts']>=5)
            {
                echo "<h1>YOU HAVE MAXED OUT YOUR LOGIN ATTEMPTS. COME BACK ANOTHER DAY</h1>";
                $ok = false;
            }
        }
        if($ok)
        {
                echo "<p id=\"error\"></p>\n
                <p id=\"attempts\"></p>\n
                <form id=\"form\" action=\"check.php\" method=\"post\">\n
                <p>username: <input type=\"text\" name=\"nick\" id=\"nick\" /></p>\n
                <p>password: <input type=\"text\" name=\"pass\" id=\"pass\" /></p>\n
                <input type=\"submit\" value=\"Log in\"/>\n
                </form>\n";
        }
?>
</body>
</html>

和检查.php:

<?php
session_start();
$c = new mysqli("localhost","jddancks","zomglol","test");
if($c->connect_errno())
{
        echo "Something is wrong with the mysql connection. To DREAMWEAVER!";
}
else
{
    $r = $c->query(sprintf($c,"select * from UserTable where (nick=(\"%s\") AND pass=SHA1(\"%s\"))",$_POST['nick'],$_POST['pass']));
    if($r->num_rows==0)
    {
                $testn = $c->query(sprintf($c,"select * from UserTable where nick=(\"%s\")",$_POST['nick']),$c);
        if($testn->num_rows()==0)
        {
                    $_SESSION['msg'] = "Nick ".$_POST['nick']."was not found. Check spelling or <a href=\"register.php\">register</a>";
        }
        else
        {
                $_SESSION['msg'] = "Password incorrect";
        }
        $r->close();
        $testn->close();
        if(!isset($_SESSION['attempts']))
        {
                    $_SESSION['attempts'] = $_SESSION['attempts'] + 1;
        }
        else
        {
                $_SESSION['attempts'] = 1;
        }
        $c->close();
        header("Location:http://cs4.sunyocc.edu/~j.d.dancks/shopsite/login.php");
    }
    else
    {
            $c->close();
        session_start();
        $_SESSION['nick'] = $_POST['nick'];
        $_SESSION['email'] = $_POST['email'];
        header("Location:http://cs4.sunyocc.edu/~j.d.dancks/shopsite/success.html");
    }
}
?>

我唯一担心的是,有人要做的就是删除站点 cookie 以尝试继续暴力破解密码,所以也许我应该将 # 登录尝试记录到 sql 表中。

于 2012-09-24T01:59:21.860 回答