0

我正在尝试创建一个简单的登录系统,并且正在查询用户提供的用户名是否存在于数据库中。但是我在获取行数时遇到了麻烦。我一直在获取未定义的变量 num:错误。我也尝试使用,

$num = $stmt->rowCount();

但是,然后我在非对象错误上调用成员函数 rowCount()。我对 php 和 Web 开发非常陌生,这让我很困惑,我不知道如何让它工作,有人可以帮助我吗?这是 db.php 文件的代码

<?php
require "config.php";


function DBconnect($config) {
    try {
        $conn = new PDO('mysql:host=localhost;dbname=' . $config['database'],
                        $config['username'],
                        $config['password']);

        $conn->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

        return $conn;
    } catch(Exception $e) {
        return false;
    }
}

function query($query, $bindings, $conn) {
    $stmt = $conn->prepare($query);
    $stmt->execute($bindings);

    return $stmt;
}

这是登录页面的 index.php 文件的代码。

<?php

// Allow sessions to be passed so we can see if the user is logged in
session_start();

// include the necessary files
require "db.php";
require "functions.php";
include "index.view.php";


//conect to the database so we can check, edit or ,data to our users table
$conn = DBconnect($config);

// if the user has submitted the form
if( $_SERVER["REQUEST_METHOD"] === "POST") {

    //protect the posted value then store them to variables
    $username = protect($_POST["username"]);
    $password = protect($_POST["password"]);

    //Check if the username or password boxes were not filled in
    if ( !$username || !$password ){
        // if not display an error message.
        echo "You need to fill in a username and password!";
    }else
        // if correct continue cheking

        //select all the rows where the username and password match the ones submitted by the user
        query(  "SELECT * FROM users WHERE username = :username",
                array("username" => $username),
                $conn);
        $num = $stmt->fetchColumn(); 


        //check if there was not a match
        if( $num == 0) {
            //if not display an error message
            echo "The username you entered does not exist!";
        }else{
            //if there was a mactch continue chekcing

            //select all rows where the username and password match the ones submitted by the user
            query( "SELECT * FROM users WHERE username =:username && password = :pasword",
                    array("username" => $username, "password" => $password ),
                    $conn);
            $num = $stmt->fetchColumn();    

            //check if there was not a match
            if( $num == 0) {
                //if not display error message
                echo "Username and password do not mactch";
            }else {
                //if there was continue checking

                //split all the fields from the correct row into an associative array
                $row = $user->fetch(PDO::FETCH_ASSOC);
                //check to see if the user has not activated their account
                if($row["active"] != 1) {
                    //if not display an error message
                    echo "You have not yet activated your account!";
                }else {
                    //if so then log them in

                    // set the login session storing their id. We use this to
                    // see if they are logged in or not.
                    $_SESSION["uid"] = $row["id"];
                    //show message confirming that they are loggd in
                    echo "You have succesfully logged in!";
                    //update the online field to 50 seconds in the future
                    $time = date("u")+50;
                    query( "UPDATE users SET online = :time WHERE id = :id",
                            array("time" => $time, "id" => $_SESSION["uid"]),
                            $conn);
                    //redirect them to the usersonline page
                    header("Location: usersOnline.php");
                }
            }


    }
}
4

3 回答 3

2

您错过了$stmt作为query(). 将调用更改为:

$stmt = query(....);
$num = $stmt->rowCount();

请注意,提供有关以下内容的详细通知被认为是不安全的

  • 用户名错误
  • 密码错误
  • 两者都是错误的。

如果这样做,攻击者很容易获得有效的用户名。Onece 拥有用户名,它需要更少的努力来获取有效帐户的密码。

此外,我不会使用rowCount()它,因为每个数据库驱动程序都不会返回行数。因此,如果您曾经使用不同的数据库,代码可能会失败。

将查询更改为:

SELECT count(*) AS number_of_rows, * FROM users WHERE username =:username && password = :pasword"

...然后从结果集中获取“number_of_rows”:

if ( !$username || !$password ){
    // if not display an error message.
    echo "You need to fill in a username and password!";
}else

    //select the number of rows where the username and password match the ones submitted by the user
    query(  "SELECT count(*) as number_of_records, * FROM users WHERE username = :username AND password = :password",
            array("username" => $username, "password" => "$password"),
            $conn);
    $record = $stmt->fetch();
    if($record['number_of_records'] !== '1') {
        echo 'wrong username and / or password';
    }
}

进一步说明:切勿在数据库中存储未加密的密码

相反,您应该存储由sha1 或 md5 等加盐单向散列函数散列的密码。为简洁起见,我不会在这里举一个例子。我会用谷歌搜索这个或问另一个关于 SO 的问题。

于 2013-03-05T11:53:59.687 回答
1

您的query()函数返回一个语句,但您没有从调用它的位置保存返回值。

改变

query(.....);


$stmt = query(.....);
于 2013-03-05T11:54:14.053 回答
0

我受不了这么臃肿的代码。所以,这是一个正确的版本,没有所有无用、不必要和错误的代码:

if( $_SERVER["REQUEST_METHOD"] == "POST") {
    $sql = "SELECT id,active FROM users WHERE username=? && password=?";
    $stm = query($sql, array($_POST["username"], $_POST["password"]), $conn);
    $row = $stm->fetch(PDO::FETCH_ASSOC);
    if(!$row) {
        echo "Username and password do not mactch";
    } elseif($row["active"] != 1) {
        echo "You have not yet activated your account!";
    } else {
        $_SESSION["uid"] = $row["id"];
        $time = date("u")+50;
        $sql  = "UPDATE users SET online=? WHERE id=?";
        query($sql, array($time, $row["id"]), $conn);
        header("Location: usersOnline.php");
        exit;
    }
}
于 2013-03-05T12:11:42.667 回答