1

我有一个类来登录用户,但是当我使用表单和错误的凭据对其进行测试时,我仍然获得了“成功”。有人能指出我正确的方向吗?

include('User.datatype.php');

$usher = new Authenticator;
$usher->checkCreds();
$usher->ensureHasAccess();

Class Authenticator {
    protected $user;
    protected function getCreds() {
        if (!isset($_POST['login']))
            throw new Exception("There was an error processing your request", 1);
        else if ($_POST['username'] == '' || $_POST['password'] == '')
            throw new Exception("You must enter a username and password", 1);
        $username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_STRING);
        $password = filter_input(INPUT_POST, 'password', FILTER_SANITIZE_STRING);
        $this->user = new User;
        $this->user->username = $username;
        $this->user->password = $password;
    }

    public function checkCreds() {
        $this->getCreds();
        if (empty($this->user->username) || empty($this->user->password))
            throw new Exception("Error Processing Request", 1);
        include('dbconnect.php');   // Normally I'd store the db connect script outside of webroot
        $pdo = new PDO("mysql:host=$db_host;dbname=$db_name;", $db_user, $db_password);
        $stmt = $pdo->prepare('SELECT * FROM Users WHERE username = :uname AND password = :pword');
        $stmt->bindParam(':uname', $this->user->username);
        $stmt->bindParam(':pword', $this->user->password);
        $stmt->execute();
        $status = $stmt->fetch();
        $this->user->status = $status;
        print $status;
        return $this->user->status;
    }

    protected function createSessionID() {
        $seshID = mt_rand(99999, 1000000);
        return $seshID;
    }

    protected function startSession() {
        if (empty($this->user->status))
            throw new Exception("There was a problem connecting to the database", 1);
        session_start();
        $_SESSION['username'] = $this->user->username;
        $_SESSION['id'] = createSessionID();
        $secret = $_SESSION['id'];
        header('Location:index.php?' . $secret);
        return true;
    }

    protected function hasAccess() {
        $this->startSession();
        if (!startSession())
            throw new Exception("You do not have access to this page.", 1);
        return true;
    }

    public function ensureHasAccess() {
        if(!$this->hasAccess())
            throw new Exception("You are not logged in.");
        print 'Welcome, ' . $this->user->username;
    }
}

HTML 表单:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://ogp.me/ns#" xmlns:fb="http://www.facebook.com/2008/fbml">
    <head>
    </head>
    <body>
        <form action="authenticator.php" method="post">
            <p>username: <input type="text" name="username" /></p>
            <p>password: <input type="password" name="password" /></p>
            <p><input type="submit" name="login" /></p>
        </form>
    </body>
</html>
4

3 回答 3

1

除了我已经指出页面中间的“session_start()”可能是一个逻辑错误之外,如果你说它是固定的,我对这一行有一种不好的感觉。

 $stmt = $pdo->prepare('SELECT * FROM Users WHERE username = $this->user->username AND password = $this->user->password');

单引号可能会阻止 $this->user 中的变量更改为实际值。那不可能有错误,但是我对MySQLi比较熟悉,还没有使用过PDO。但我建议您尝试将其更改为:

$stmt = $pdo->prepare('SELECT * FROM Users WHERE username = '.$this->user->username.' AND password = '.$this->user->password);

只是一个可能的提示。虽然不知道是不是那个。

于 2013-04-22T14:04:13.813 回答
0

你有没有

<?php session_start(); ?>

在 index.php 页面的顶部?

和 var_dump($_SESSION); 看看它拥有什么信息

据我所知,您必须拥有 session_start(); 在任何页面上,您是否希望您的会话信息存在。

于 2013-04-22T13:56:47.110 回答
0

你的逻辑有错误。 if (!session_start())启动会话,如果无法启动,则抛出异常。您需要以不同的方式检查用户是否被授权,例如使用$this->user->status = $status;来确定用户是否被授权。

于 2013-04-22T13:57:12.243 回答