-2

嗨,我在这里有这个代码,它是用于登录系统:

elseif($_GET['action'] == "login"){
if(!empty($_GET['user_name']) && !Empty($_GET['password'])){
    session_name('Huemix|Studio');
    session_set_cookie_params(2*7*24*60*60);
    sec_session_start();
    $user = sql_safe($_GET['user_name']);
    $pass = sql_safe($_GET['password']);
    $rem = sql_safe($_GET['rememberMe']);
    if(!count($err)){
        $sql = sprintf("SELECT loginid FROM login WHERE username='%s' AND password = '%s'",$user,md5($pass));
        $query = mysql_query($sql);
        $row = mysql_fetch_assoc($query);
        if(!$query){
            echo mysql_error();
        }else{
            echo $row["username"];
            echo $row["loginid"];
            //echo $user;
           // echo $pass;
        }
        if($row['username']){
            $sql = sprintf("UPDATE login SET last_login='".time()."' WHERE username = '%s' AND password = '%s' ",$user,md5($pass));
            $query = mysql_query($sql);
            if($query){
                $_SESSION['username'] = $row['username'];
                $_SESSION['id'] = $row['loginid'];
                $_SESSION['rememberMe'] = $rem;
                setcookie("HuemixRemember",$rem);
                header("Location : index.php");
            }
            echo '<p style="color: #ff0000;">Error in Login system ,, Please Call The Programmer !</p>';
        }else{
            echo '<p style="color: #ff0000;">Error in Username and/or Password !</p>';
        }
    }
}else{
    echo '<p style="color: #ff0000;">All Fields are Required !</p>';
}

}

现在我对我的脚本做了一些安全功能,它们是:sec_session_start(); 和 sql_safe(); 这里有代码:sec_session_start();

function sec_session_start() {
    $session_name = 'sec_session_id'; // Set a custom session name
    $secure = false; // Set to true if using https.
    $httponly = true; // This stops javascript being able to access the session id. 

    ini_set('session.use_only_cookies', 1); // Forces sessions to only use cookies. 
    $cookieParams = session_get_cookie_params(); // Gets current cookies params.
    session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly); 
    session_name($session_name); // Sets the session name to the one set above.
    session_start(); // Start the php session
    session_regenerate_id(true); // regenerated the session, delete the old one.     

}

和 sql_safe():

function sql_safe($value){
if ( $value ){
    $value = strip_tags($value);
    $value = htmlspecialchars($value); 
    $value = trim($value);
    $value = stripslashes($value);
    $value = mysql_real_escape_string($value);
    return $value;
}
else{
    return false;
}

}

现在我的问题出在echo $row["username"]; 没有打印数据的行中,并且我确定数据库中有数据并且与数据库的连接可以正常工作,我尝试echo $user;查看是否来自 Interred 的值的错误输入框,但输出和我埋的一样!

所以我真的不知道发生了什么!!!总是显示Error in Login system ,, Please Call The Programmer ! 由 if 语句引起的错误if($row['username']){!!

另一个问题:你能告诉我一个提示或代码来保护我的脚本吗?在一切“登录、注销、会话、cookies ......等”

还有谢谢^_^

4

3 回答 3

3

您没有在您的选择语句中选择用户名,这就是它无法使用的原因 - 在您选择字段时将用户名添加到您的选择语句中。

    SELECT loginid,username FROM login WHERE username='%s'...
于 2013-04-20T15:29:04.907 回答
0

问题似乎是,您没有选择用户名:

$sql = sprintf("SELECT loginid FROM login WHERE username='%s' AND password = '%s'",$user,md5($pass));

应该:

$sql = sprintf("SELECT username, loginid FROM login WHERE username='%s' AND password = '%s'",$user,md5($pass));

于 2013-04-20T15:30:08.290 回答
0
       }
        echo '<p style="color: #ff0000;">Error in Login system ,, Please Call The Programmer !</p>';

应该是

       } else {
           echo '<p style="color: #ff0000;">Error in Login system ,, Please Call The Programmer !</p>';
       }

现在您只是输出该错误消息,完全忽略查询结果。

于 2013-04-20T15:30:34.600 回答