我有一个我写的 PHP 登录类:
include('../../datatypes/User.datatype.php');
$usher = new Authenticator;
$usher->checkCreds();
$usher->ensureHasAccess();
Class Authenticator {
protected $user;
protected function getCreds() {
if (!isset($_POST['adminLogin']))
echo('There was an error handling your request');
else if (empty($_POST['username']) || empty($_POST['password']))
echo('You must enter a username and password');
$username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_STRING);
$password = md5(filter_input(INPUT_POST, 'password', FILTER_SANITIZE_STRING));
$this->user = new User;
$this->user->username = $username;
$this->user->password = $password;
}
public function checkCreds() {
$this->getCreds();
if (empty($this->user->username) || empty($this->user->password))
echo('There was an error processing your request');
include('../../../dbconnect.php');
$pdo = new PDO("mysql:host=$db_host;dbname=$db_name;", $db_user, $db_password);
$stmt = $pdo->prepare('SELECT userID, userFName FROM Users WHERE username = ? AND password = ?');
$stmt->bindParam(1, $this->user->username);
$stmt->bindParam(2, $this->user->password);
$stmt->bindColumn(1, $tblUserID, PDO::PARAM_INT);
$stmt->bindColumn(2, $userFName, PDO::PARAM_STR);
$stmt->execute();
$stmt->fetch(PDO::FETCH_BOUND);
if ($stmt->rowCount() != 1)
echo "{\"result\" : false}";
$this->user->tblUserID = $tblUserID;
$this->user->firstName = $userFName;
$status = true;
}
protected function createSessionID() {
$seshID = mt_rand(99999, 1000000000);
return $seshID;
}
protected function startSession() {
if ($status === false)
echo "{\"result\" : false}";
echo "{\"result\" : true}";
session_start();
$_SESSION['id'] = $this->createSessionID();
$secret = crypt($_SESSION['id']);
$_SESSION['lastInsert'] = 0;
$_SESSION['tblUserID'] = $this->user->tblUserID;
$_SESSION['firstName'] = $this->user->firstName;
$_SESSION['logged-in'] = true;
header('Location: ../../index.php?=admin');
}
public function ensureHasAccess() {
$grantedAccess = $this->startSession();
if ($grantedAccess === false)
header('Location: ../../error/403.php');
echo "{\"result\" : true}";
session_start();
}
}
注意:我使用 MD5 进行测试,否则使用 bcrypt。此外,这在没有 AJAX 的情况下也可以正常工作,如下所示:
$('#login_form').on('submit', function(e) {
e.preventDefault();
var $form = $(this);
var username = $('#username').val();
var password = $('#password').val();
if (username == '' || password == '')
$('span#errForm').fadeIn(200).text('You must enter a username and password');
$.ajax({
type: 'post',
url: '/classes/login/Authenticator.php',
dataType: 'json',
data: $form.serialize(),
success: function(data) {
if (data.result === false)
$('span#errForm').fadeIn(200).text('Invalid username or password');
else
window.location = '/index.php?=admin';
}
});
return false;
});
要处理此表格:
<div class="actionDiv">
<span id="errForm"></span>
<form id="login_form" action="./classes/login/Authenticator.php" method="post" onsubmit="return false;">
<p>username: <input type="text" name="username" id="username" /></p>
<p>password: <input type="password" name="password" id="password" /></p>
<p><input type="submit" name="adminLogin" value="Log in" id="adminLogin" /></p>
</form>
<p><a id="cancelLogin" href="">Cancel</a></p>
</div>
问题是当没有输入表单数据,或者输入了无效的表单数据时,仍然会出现登录。当我确实使用了正确的登录数据时,单击提交按钮什么也不做,我必须手动刷新页面。当没有输入表单数据时,会显示一条消息,但刷新页面只会创建一个空会话。
我尝试使用error: function(data)但没有任何变化。控制台也不显示任何错误。我在这里想念什么?PHP 在一个类中对此有什么影响吗?
编辑:在 Chrome 开发人员工具中,在网络下,Authenticator.php 的状态在正确和不正确的登录时都是 200 ok。