1

一直试图在表单的同一页面上输出错误,我使用的是 PHP 表单。

<?php 

    // First we execute our common code to connection to the database and start the session 
    require("common.php"); 

    // This if statement checks to determine whether the registration form has been submitted 
    // If it has, then the registration code is run, otherwise the form is displayed 
    if(!empty($_POST)) 
    { 

        // Ensure that the user has entered a non-empty name 
        if(empty($_POST['full_name'])) 
        { 
            return("Please enter your full name."); 
        } 

        // Ensure that the user has entered a non-empty username 
        if(empty($_POST['username'])) 
        { 
            // Note that die() is generally a terrible way of handling user errors 
            // like this.  It is much better to display the error with the form 
            // and allow the user to correct their mistake.  However, that is an 
            // exercise for you to implement yourself. 
            //die("Please enter a username."); 
            return("PUFTA KOLLOK");
        } 


        // Ensure that the user has entered a non-empty password 
        if(empty($_POST['password'])) 
        { 
            die("Please enter a password."); 
        } 



        // Make sure the user entered a valid E-Mail address 
        // filter_var is a useful PHP function for validating form input, see: 
        // http://us.php.net/manual/en/function.filter-var.php 
        // http://us.php.net/manual/en/filter.filters.php 
        if(!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) 
        { 
            die("Invalid E-Mail Address"); 
        } 

        // We will use this SQL query to see whether the username entered by the 
        // user is already in use.  A SELECT query is used to retrieve data from the database. 
        // :username is a special token, we will substitute a real value in its place when 
        // we execute the query. 
        $query = " 
            SELECT 
                1 
            FROM users_pharm
            WHERE 
                username = :username 
        "; 

        // This contains the definitions for any special tokens that we place in 
        // our SQL query.  In this case, we are defining a value for the token 
        // :username.  It is possible to insert $_POST['username'] directly into 
        // your $query string; however doing so is very insecure and opens your 
        // code up to SQL injection exploits.  Using tokens prevents this. 
        // For more information on SQL injections, see Wikipedia: 
        // http://en.wikipedia.org/wiki/SQL_Injection 
        $query_params = array( 
            ':username' => $_POST['username'] 
        ); 

        try 
        { 
            // These two statements run the query against your database table. 
            $stmt = $db->prepare($query); 
            $result = $stmt->execute($query_params); 
        } 
        catch(PDOException $ex) 
        { 
            // Note: On a production website, you should not output $ex->getMessage(). 
            // It may provide an attacker with helpful information about your code.  
            die("Failed to run query: " . $ex->getMessage()); 
        } 

        // The fetch() method returns an array representing the "next" row from 
        // the selected results, or false if there are no more rows to fetch. 
        $row = $stmt->fetch(); 

        // If a row was returned, then we know a matching username was found in 
        // the database already and we should not allow the user to continue. 
        if($row) 
        { 
            die("This username is already in use"); 
        } 

        // Now we perform the same type of check for the email address, in order 
        // to ensure that it is unique. 
        $query = " 
            SELECT 
                1 
            FROM users_pharm 
            WHERE 
                email = :email 
        "; 

        $query_params = array( 
            ':email' => $_POST['email'] 
        ); 

        try 
        { 
            $stmt = $db->prepare($query); 
            $result = $stmt->execute($query_params); 
        } 
        catch(PDOException $ex) 
        { 
            die("Failed to run query: " . $ex->getMessage()); 
        } 

        $row = $stmt->fetch(); 

        if($row) 
        { 
            die("This email address is already registered"); 
        } 

        // An INSERT query is used to add new rows to a database table. 
        // Again, we are using special tokens (technically called parameters) to 
        // protect against SQL injection attacks. 
        $query = " 
            INSERT INTO users_pharm ( 
                username, 
                password, 
                salt, 
                email,
                full_name,
                pharmacy    
            ) VALUES ( 
                :username, 
                :password, 
                :salt, 
                :email,
                :full_name,
                :pharmacy

            ) 
        "; 

        // A salt is randomly generated here to protect again brute force attacks 
        // and rainbow table attacks.  The following statement generates a hex 
        // representation of an 8 byte salt.  Representing this in hex provides 
        // no additional security, but makes it easier for humans to read. 
        // For more information: 
        // http://en.wikipedia.org/wiki/Salt_%28cryptography%29 
        // http://en.wikipedia.org/wiki/Brute-force_attack 
        // http://en.wikipedia.org/wiki/Rainbow_table 
        $salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647)); 

        // This hashes the password with the salt so that it can be stored securely 
        // in your database.  The output of this next statement is a 64 byte hex 
        // string representing the 32 byte sha256 hash of the password.  The original 
        // password cannot be recovered from the hash.  For more information: 
        // http://en.wikipedia.org/wiki/Cryptographic_hash_function 
        $password = hash('sha256', $_POST['password'] . $salt); 

        // Next we hash the hash value 65536 more times.  The purpose of this is to 
        // protect against brute force attacks.  Now an attacker must compute the hash 65537 
        // times for each guess they make against a password, whereas if the password 
        // were hashed only once the attacker would have been able to make 65537 different  
        // guesses in the same amount of time instead of only one. 
        for($round = 0; $round < 65536; $round++) 
        { 
            $password = hash('sha256', $password . $salt); 
        } 

        // Here we prepare our tokens for insertion into the SQL query.  We do not 
        // store the original password; only the hashed version of it.  We do store 
        // the salt (in its plaintext form; this is not a security risk). 
        $query_params = array( 
            ':username' => $_POST['username'], 
            ':password' => $password, 
            ':salt' => $salt, 
            ':email' => $_POST['email'],
            ':full_name' => $_POST['full_name'],
            ':pharmacy' => $_POST['pharmacy']   

        ); 

        try 
        { 
            // Execute the query to create the user 
            $stmt = $db->prepare($query); 
            $result = $stmt->execute($query_params); 
        } 
        catch(PDOException $ex) 
        { 
            // Note: On a production website, you should not output $ex->getMessage(). 
            // It may provide an attacker with helpful information about your code.  
            die("Failed to run query: " . $ex->getMessage()); 
        } 

        // This redirects the user back to the login page after they register 
        header("Location: login.php"); 

        // Calling die or exit after performing a redirect using the header function 
        // is critical.  The rest of your PHP script will continue to execute and 
        // will be sent to the user if you do not die or exit. 
        die("Redirecting to login.php"); 
    } 



?> 
<html>
<head>
<!--document's CSS styling -->
<link href="css/testcss.css" rel="stylesheet" type="text/css" />
</head>

<div id="header" style="text-align:left">
<body>
<h1>Pharmacists Registration</h1> 
<form action="register2.php" method="post"> <br />

    Full Name:<br />
    <input type="text" name="full_name" value="" /> 
    <br /><br /> 

    Username:<br /> 
    <input type="text" name="username" value="" /> 
    <br /><br /> 

    Pharmacy :<br /> 
    <input type="text" name="pharmacy" value="" /> 
    <br /><br /> 

    E-Mail:<br /> 
    <input type="text" name="email" value="" /> 
    <br /><br /> 

    Password:<br /> 
    <input type="password" name="password" value="" /> 
    <br /><br /> 

    <table>
        <tr>
    <input type="submit" value="Register" /> 
</form>
<form action="login.php" method="post">
    <input type="submit" value="Back">
</form>
</body>
</div>

</html>

已经研究并发现了有关 ajax 的信息,但无法从头开始修改表单。也尝试过 print()、return() error(),但除了在新页面上返回空白的 return 之外,我都在新页面上返回错误。

这是能够执行我需要的登录页面,即在同一页面上显示错误。已尝试深入实现这一目标..但我注意到的是验证在大括号中并且只是触发一个布尔值。如果错误打印错误..但我已经尝试了 print() 但它在表单的新页面上实现了输出,但在登录的同一页面上实现了输出......这是登录页面的代码..

<?php 

    // First we execute our common code to connection to the database and start the session 
    require("common.php"); 

    error_reporting(0);

    // This variable will be used to re-display the user's username to them in the 
    // login form if they fail to enter the correct password.  It is initialized here 
    // to an empty value, which will be shown if the user has not submitted the form. 
    $submitted_username = ''; 

    // This if statement checks to determine whether the login form has been submitted 
    // If it has, then the login code is run, otherwise the form is displayed 
    if(!empty($_POST)) 
    { 
        if($_POST['login_type']=="doctor_login") {

        // This query retreives the user's information from the database using 
        // their username. 
        $query = " 
            SELECT 
                id, 
                username, 
                password, 
                salt, 
                email,
                full_name
            FROM users 
            WHERE 
                username = :username 
        "; 

        // The parameter values 
        $query_params = array( 
            ':username' => $_POST['username'] 
        ); 

        try 
        { 
            // Execute the query against the database 
            $stmt = $db->prepare($query); 
            $result = $stmt->execute($query_params); 
        } 
        catch(PDOException $ex) 
        { 
            // Note: On a production website, you should not output $ex->getMessage(). 
            // It may provide an attacker with helpful information about your code.  
            die("Failed to run query: " . $ex->getMessage()); 
        } 

        // This variable tells us whether the user has successfully logged in or not. 
        // We initialize it to false, assuming they have not. 
        // If we determine that they have entered the right details, then we switch it to true. 
        $login_ok = false; 

        // Retrieve the user data from the database.  If $row is false, then the username 
        // they entered is not registered. 
        $row = $stmt->fetch(); 
        if($row) 
        { 
            // Using the password submitted by the user and the salt stored in the database, 
            // we now check to see whether the passwords match by hashing the submitted password 
            // and comparing it to the hashed version already stored in the database. 
            $check_password = hash('sha256', $_POST['password'] . $row['salt']); 
            for($round = 0; $round < 65536; $round++) 
            { 
                $check_password = hash('sha256', $check_password . $row['salt']); 
            } 

            if($check_password === $row['password']) 
            { 
                // If they do, then we flip this to true 
                $login_ok = true; 
            } 
        } 

        // If the user logged in successfully, then we send them to the private members-only page 
        // Otherwise, we display a login failed message and show the login form again 
        if($login_ok) 
        { 
            // Here I am preparing to store the $row array into the $_SESSION by 
            // removing the salt and password values from it.  Although $_SESSION is 
            // stored on the server-side, there is no reason to store sensitive values 
            // in it unless you have to.  Thus, it is best practice to remove these 
            // sensitive values first. 
            unset($row['salt']); 
            unset($row['password']); 

            // This stores the user's data into the session at the index 'user'. 
            // We will check this index on the private members-only page to determine whether 
            // or not the user is logged in.  We can also use it to retrieve 
            // the user's details. 
            $_SESSION['user'] = $row; 

            // Redirect the user to the private members-only page. 
            header("Location: private.php"); 
            die("Redirecting to: private.php"); 
        } 
        else 
        { 
            // Tell the user they failed 
            print("Login Failed."); 

            // Show them their username again so all they have to do is enter a new 
            // password.  The use of htmlentities prevents XSS attacks.  You should 
            // always use htmlentities on user submitted values before displaying them 
            // to any users (including the user that submitted them).  For more information: 
            // http://en.wikipedia.org/wiki/XSS_attack 
            $submitted_username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8'); 
        }
        }

        else if($_POST['login_type']=="pharmacist_login")
        {

            // This query retreives the user's information from the database using 
        // their username. 
        $query = " 
            SELECT 
                id, 
                username, 
                password, 
                salt, 
                email,
                full_name
            FROM users_pharm 
            WHERE 
                username = :username 
        "; 

        // The parameter values 
        $query_params = array( 
            ':username' => $_POST['username'] 
        ); 

        try 
        { 
            // Execute the query against the database 
            $stmt = $db->prepare($query); 
            $result = $stmt->execute($query_params); 
        } 
        catch(PDOException $ex) 
        { 
            // Note: On a production website, you should not output $ex->getMessage(). 
            // It may provide an attacker with helpful information about your code.  
            die("Failed to run query: " . $ex->getMessage() ); 
        } 

        // This variable tells us whether the user has successfully logged in or not. 
        // We initialize it to false, assuming they have not. 
        // If we determine that they have entered the right details, then we switch it to true. 
        $login_ok = false; 

        // Retrieve the user data from the database.  If $row is false, then the username 
        // they entered is not registered. 
        $row = $stmt->fetch(); 
        if($row) 
        { 
            // Using the password submitted by the user and the salt stored in the database, 
            // we now check to see whether the passwords match by hashing the submitted password 
            // and comparing it to the hashed version already stored in the database. 
            $check_password = hash('sha256', $_POST['password'] . $row['salt']); 
            for($round = 0; $round < 65536; $round++) 
            { 
                $check_password = hash('sha256', $check_password . $row['salt']); 
            } 

            if($check_password === $row['password']) 
            { 
                // If they do, then we flip this to true 
                $login_ok = true; 
            } 
        } 

        // If the user logged in successfully, then we send them to the private members-only page 
        // Otherwise, we display a login failed message and show the login form again 
        if($login_ok) 
        { 
            // Here I am preparing to store the $row array into the $_SESSION by 
            // removing the salt and password values from it.  Although $_SESSION is 
            // stored on the server-side, there is no reason to store sensitive values 
            // in it unless you have to.  Thus, it is best practice to remove these 
            // sensitive values first. 
            unset($row['salt']); 
            unset($row['password']); 

            // This stores the user's data into the session at the index 'user'. 
            // We will check this index on the private members-only page to determine whether 
            // or not the user is logged in.  We can also use it to retrieve 
            // the user's details. 
            $_SESSION['user'] = $row; 

            // Redirect the user to the private members-only page. 
            header("Location: private2.php"); 
            die("Redirecting to: private2.php"); 
        } 
        else 
        { 
            // Tell the user they failed 
            print("Login Failed."); 

            // Show them their username again so all they have to do is enter a new 
            // password.  The use of htmlentities prevents XSS attacks.  You should 
            // always use htmlentities on user submitted values before displaying them 
            // to any users (including the user that submitted them).  For more information: 
            // http://en.wikipedia.org/wiki/XSS_attack 
            $submitted_username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8'); 
        }

        }
    } 

?> 

<html>

<head>
<!--document's CSS styling -->
<link href="css/testcss.css" rel="stylesheet" type="text/css" />
</head>

<body>

<div id="header" style="text-align:left">
<br />
<h1>Login</h1> 
<form action="login.php" method="post"> 
    Username:<br /> 
    <input type="text" name="username" value="<?php echo $submitted_username; ?>" /> 
    <br /><br /> 
    Password:<br /> 
    <input type="password" name="password" value="" /> 
    <br /><br /> 
    <!--<form>-->
        <input type="radio" name="login_type" value="pharmacist_login" id="pharmacist_login"/> Pharmacist Login
        <br /><input type="radio" name="login_type" value="doctor_login" id="doctor_login"/> G.P Login<br />
    <!--</form>-->
    <br />
    <input type="submit" value="Login" /> 

    <form action="forgotpassword.php" method="post"> 
    <input type="submit" value="Forgot Password" /> 
    </form>


</form> 

<br />
<a href="register.php">General Practitioner's Registration</a>
<br />
<a href="register2.php">Pharmacist's Registration</a>
<br />
<a href="forgot_password.php">Forgot Password</a>
</div>
</body>

</html>
4

2 回答 2

1

当您使用从 $_POST 和 $_GET(或其他 PHP 编码)页面发送到服务器和当前页面从服务器的结果页面等待时。如果您的意思是在表单子句的同一页面上显示错误,您可以这样做(编辑您的代码):

<?php 

    // First we execute our common code to connection to the database and start the session 
    require("common.php"); 

    // This if statement checks to determine whether the registration form has been submitted 
    // If it has, then the registration code is run, otherwise the form is displayed 
    $ErrorTest="";
    if(!empty($_POST)) 
    { 

        // Ensure that the user has entered a non-empty name 
        if(empty($_POST['full_name'])) 
        { 
            $ErrorTest="Please enter your full name.";
        } 

        // Ensure that the user has entered a non-empty username 
        if(empty($_POST['username'])) 
        { 
            // Note that die() is generally a terrible way of handling user errors 
            // like this.  It is much better to display the error with the form 
            // and allow the user to correct their mistake.  However, that is an 
            // exercise for you to implement yourself. 
            //die("Please enter a username."); 
            $ErrorTest .="PUFTA KOLLOK";
        } 


        // Ensure that the user has entered a non-empty password 
        if(empty($_POST['password'])) 
        { 
            $ErrorTest.="Please enter a password."; 
        } 



        // Make sure the user entered a valid E-Mail address 
        // filter_var is a useful PHP function for validating form input, see: 
        // http://us.php.net/manual/en/function.filter-var.php 
        // http://us.php.net/manual/en/filter.filters.php 
        if ($ErrorTest=="")  // add this line where you want avoid run

        if(!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) 
        { 
           $ErrorTest="Invalid E-Mail Address"=; 




        // We will use this SQL query to see whether the username entered by the 
        // user is already in use.  A SELECT query is used to retrieve data from the database. 
        // :username is a special token, we will substitute a real value in its place when 
        // we execute the query. 
        $query = " 
            SELECT 
                1 
            FROM users_pharm
            WHERE 
                username = :username 
        "; 

        // This contains the definitions for any special tokens that we place in 
        // our SQL query.  In this case, we are defining a value for the token 
        // :username.  It is possible to insert $_POST['username'] directly into 
        // your $query string; however doing so is very insecure and opens your 
        // code up to SQL injection exploits.  Using tokens prevents this. 
        // For more information on SQL injections, see Wikipedia: 
        // http://en.wikipedia.org/wiki/SQL_Injection 
        if ($ErrorTest=="")

        $query_params = array( 
            ':username' => $_POST['username'] 
        ); 


        try 
        { 
            // These two statements run the query against your database table. 
            $stmt = $db->prepare($query); 
            $result = $stmt->execute($query_params); 
        } 
        catch(PDOException $ex) 
        { 
            // Note: On a production website, you should not output $ex->getMessage(). 
            // It may provide an attacker with helpful information about your code.  
            $ErrorTest="Failed to run query: " . $ex->getMessage()); 
        } 

        // The fetch() method returns an array representing the "next" row from 
        // the selected results, or false if there are no more rows to fetch. 


        $row = $stmt->fetch(); 

        // If a row was returned, then we know a matching username was found in 
        // the database already and we should not allow the user to continue. 


        if($row) 
        { 
            $ErrorTest="This username is already in use"; 
        } 

        // Now we perform the same type of check for the email address, in order 
        // to ensure that it is unique. 
        $query = " 
            SELECT 
                1 
            FROM users_pharm 
            WHERE 
                email = :email 
        "; 

        $query_params = array( 
            ':email' => $_POST['email'] 
        ); 

        try 
        { 
            $stmt = $db->prepare($query); 
            $result = $stmt->execute($query_params); 
        } 
        catch(PDOException $ex) 
        { 
            $ErrorTest="Failed to run query: " . $ex->getMessage(); 
        } 

        $row = $stmt->fetch(); 

        if($row) 
        { 
            $ErrorTest="This email address is already registered"; 
        } 

        // An INSERT query is used to add new rows to a database table. 
        // Again, we are using special tokens (technically called parameters) to 
        // protect against SQL injection attacks. 
        $query = " 
            INSERT INTO users_pharm ( 
                username, 
                password, 
                salt, 
                email,
                full_name,
                pharmacy    
            ) VALUES ( 
                :username, 
                :password, 
                :salt, 
                :email,
                :full_name,
                :pharmacy

            ) 
        "; 

        // A salt is randomly generated here to protect again brute force attacks 
        // and rainbow table attacks.  The following statement generates a hex 
        // representation of an 8 byte salt.  Representing this in hex provides 
        // no additional security, but makes it easier for humans to read. 
        // For more information: 
        // http://en.wikipedia.org/wiki/Salt_%28cryptography%29 
        // http://en.wikipedia.org/wiki/Brute-force_attack 
        // http://en.wikipedia.org/wiki/Rainbow_table 
        $salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647)); 

        // This hashes the password with the salt so that it can be stored securely 
        // in your database.  The output of this next statement is a 64 byte hex 
        // string representing the 32 byte sha256 hash of the password.  The original 
        // password cannot be recovered from the hash.  For more information: 
        // http://en.wikipedia.org/wiki/Cryptographic_hash_function 
        $password = hash('sha256', $_POST['password'] . $salt); 

        // Next we hash the hash value 65536 more times.  The purpose of this is to 
        // protect against brute force attacks.  Now an attacker must compute the hash 65537 
        // times for each guess they make against a password, whereas if the password 
        // were hashed only once the attacker would have been able to make 65537 different  
        // guesses in the same amount of time instead of only one. 
        for($round = 0; $round < 65536; $round++) 
        { 
            $password = hash('sha256', $password . $salt); 
        } 

        // Here we prepare our tokens for insertion into the SQL query.  We do not 
        // store the original password; only the hashed version of it.  We do store 
        // the salt (in its plaintext form; this is not a security risk). 
        $query_params = array( 
            ':username' => $_POST['username'], 
            ':password' => $password, 
            ':salt' => $salt, 
            ':email' => $_POST['email'],
            ':full_name' => $_POST['full_name'],
            ':pharmacy' => $_POST['pharmacy']   

        ); 

        try 
        { 
            // Execute the query to create the user 
            $stmt = $db->prepare($query); 
            $result = $stmt->execute($query_params); 
        } 
        catch(PDOException $ex) 
        { 
            // Note: On a production website, you should not output $ex->getMessage(). 
            // It may provide an attacker with helpful information about your code.  
            $ErrorTest="Failed to run query: " . $ex->getMessage(); 
        } 

        // This redirects the user back to the login page after they register 
        header("Location: login.php"); 

        // Calling die or exit after performing a redirect using the header function 
        // is critical.  The rest of your PHP script will continue to execute and 
        // will be sent to the user if you do not die or exit. 
        $ErrorTest="Redirecting to login.php"; 
    } 



?> 
<html>
<head>
<!--document's CSS styling -->
<link href="css/testcss.css" rel="stylesheet" type="text/css" />
</head>

<div id="header" style="text-align:left">
<body>
<h1>Pharmacists Registration</h1> 
<?php>
if ($ErrorTest!="")
  echo "<br />Error:".$ErrorTest."<br />";
if (empty($_POST) || $ErrorTest!="" ) 
{
<?>
<form action="register2.php" method="post"> <br />

    Full Name:<br />
    <input type="text" name="full_name" value="" /> 
    <br /><br /> 

    Username:<br /> 
    <input type="text" name="username" value="" /> 
    <br /><br /> 

    Pharmacy :<br /> 
    <input type="text" name="pharmacy" value="" /> 
    <br /><br /> 

    E-Mail:<br /> 
    <input type="text" name="email" value="" /> 
    <br /><br /> 

    Password:<br /> 
    <input type="password" name="password" value="" /> 
    <br /><br /> 

    <table>
        <tr>
    <input type="submit" value="Register" /> 
</form>
<?php>
}
<?>
<form action="login.php" method="post">
    <input type="submit" value="Back">
</form>
</body>
</div>

</html>

您可以在代码中使用您想要的 if 条件

   if ($ErrorTest=="")
      do next step
于 2013-04-20T11:04:40.530 回答
0

您必须在 register2.php 中编写代码的上半部分,并使用 session 和 header 在同一页面中返回,如下所示。

 session_start();
 if(!empty($_POST))
 {
    if(empty($_POST['full_name']))
    {
        $_SESSION['error'] = "Please enter your full name.";
        header("Location: pagename.php");
    } else {
        $_SESSION["full_name"] = $_POST["full_name"];
    }
    if(empty($_POST['password']))
    {
        $_SESSION["error"] = "Please enter a password.";
        header("Location:pagename.php");
    } 
}

在 pagename.php 中,您可以检索用户在上一页中输入的数据,如下所示:

session_start();
$full_name = $_SESSION["full_name"]; 
$error = $_SESSION["error"];

希望这能解决您的问题。此外,如果你想做 javascript 验证,那么有一个不错的 jquery 插件可用。请参阅http://demos.usejquery.com/ketchup-plugin/上的文档和演示

于 2013-04-20T10:50:31.130 回答