-1

我正在学习 PHP,并且我制作了一个简单的登录脚本,但问题是它只会将我重定向到一个空白页面。如果用户凭据正确,则意味着重定向到 index.php,但显然不是这样?还有验证,如果用户输入空白,则返回错误。这似乎没有被执行。

登录.php

<form id="login-form" method="post" action="logininc.php"> <fieldset> 
  <legend>Login </legend> 
  <p>Please enter your username and password to access the administrator's panel</p>

   <label for="user"> <input type="text" name="user" placeholder="Type your username here" id="user" /></label> 
   <label for="password"> <input type="password" name="password" placeholder="Type your password here" id="password" /></label>
   <label for="submit"> <input type="submit" class="btn btn-primary"name="submit" id="submit" value="Login" /> </label> </fieldset> </form>

logininc.php // 我的处理页面

<?php

require_once("assets/configs/db_config.php");
$user=$_POST['user']; 
$password=$_POST['password'];

if(isset($_POST['login']))
{
//To ensure that none of the fields are blank when submitting the form if
if($user || $password != NULL)
    {
        $user = stripslashes($user);
        $password = stripslashes($password);
        $user = mysqli_real_escape_string($user);
        $password = mysqli_real_escape_string($password);

        $sql="SELECT * FROM $test_db WHERE user='$user' and password='$password'";
        $result=mysqli_query($sql);

        $row=mysql_fetch_array($result);

        if($row['user'] == $user && $row['password'] == $password)
        {
            session_start();
            $_SESSION['user'] = $user;
            $_SESSION['password'] = $password;
            $_SESSION['loggedin'] = "true";
            header("location:index.php");
        }
        else
        {
            print ('<div id="error">Computer says no.</div>');

        }
            print ('<div id="error">Enter something!</div>');

}
}



    ?>

index.php // 成功页面

 <?php //module to check logins
 session_start();

 if(!isset($_SESSION["loggedIn"])){
     header("Location: login.php");
     exit;
 }
 Echo 'Congratulations <b>'.$_SESSION['user'].'</b> you successfully logged in!!<br />
         Your Password is: <b>'.$_SESSION['password'].'</b><br />
         <a href="login.php">Logout</a>';
 ?>
4

4 回答 4

2

$row = mysql_fetch_array应该$row = mysqli_fetch_array

正如其他人已经提到的,使用

if(isset($_POST['user']) && isset($_POST['password'])) {


// your code here


}

顺便说一句:使用只说“loggedin = true”或“login = yes”等的会话绝不是安全的

编辑(安全讨论):

密码应始终加密保存(注册):

function login($email, $password)   {
    $email = mysql_real_escape_string($email);
    $q = "SELECT id, email, password, salt FROM members WHERE email='" . $email . "'";
    $result = mysql_query($q, $this->connection);
        $output = mysql_fetch_assoc($result);
        $user_id = $output['id'];
        $database_username = $output['username'];
        $database_email = $output['email'];
        $database_password = $output['password'];


        $password = hash('sha512', $password);

            if($database_password == $password) {
                $user_browser = $_SERVER['HTTP_USER_AGENT']; 
                $user_id = preg_replace("/[^0-9]+/", "", $user_id);
                $_SESSION['user_id'] = $user_id;
                $_SESSION['username'] = $email;
                $login_hash = hash('sha512', $password.$user_browser);
                $_SESSION['login_hash'] = $login_hash;
        }   else    {
            return false;
        }
} // function

function login_check()  {
    $user_id = $_SESSION["user_id"];
    $login_hash = $_SESSION["login_hash"];
    $email = $_SESSION["username"];
    $user_browser = $_SERVER['HTTP_USER_AGENT'];

    $q = "SELECT password FROM members WHERE id ='" . $user_id . "'";
    $result = mysql_query($q, $this->connection);
    $output = mysql_fetch_assoc($result);
    $database_password = $output['password'];

    if(mysql_num_rows($result) == 1)    {

        $login_check = hash('sha512', $database_password.$user_browser);
        if($login_check == $login_hash) {
                return true;
            } else { 
                return false; 
        }
    } else  {
        return false; 
    }
}

此外,您可以为每个用户创建一个随机盐(注册),以将您的安全级别设置得更高一点(注意:hash(hash(hash(...)))会降低您的安全级别,因为您在哈希期间丢失了信息过程)

注意:这只是一个具有高安全级别的(工作)示例登录/检查脚本。仍然可以改进此脚本(暴力破解,mysqli/prepared statements,直接在表单中散列密码,安全会话,...)

于 2013-07-24T09:10:54.727 回答
1

当您更改if(isset($_POST['login']))为时会发生什么if(isset($_POST['submit']))

于 2013-07-24T09:04:08.153 回答
0

首先,提交按钮的名称是“提交”。您正在检查“登录”是否已发布。

if(isset($_POST['login']))
{

它应该是:

if(isset($_POST['submit']))
{

你写 :

if($user || $password != NULL)
{

它应该是:

if($user != NULL || $password != NULL)
{

您使用了 mysqli 和 mysql 命令,这不是一个好习惯

$result=mysqli_query($sql);

    $row=mysql_fetch_array($result);

代替

if($row['user'] == $user && $row['password'] == $password)
    {
//this code again check for condition which is already checked in the sql statement

最好写:

if($row->num_rows==1)
    {

在你写的 index.php 中

if(!isset($_SESSION["loggedIn"])){

应该是

if(!isset($_SESSION["loggedin"])){

因为您在存储到会话时存储了小写索引。

于 2013-07-24T10:12:52.987 回答
0

问题是if(isset($_POST['login']))

您永远不会在表单中设置“登录”条目。

你可以做:

if(isset($_POSt["user"]) && isset($_POST["password"])) {
$user=$_POST['user']; 
$password=$_POST['password'];
//To ensure that none of the fields are blank when submitting the form if
if($user && $password) {
于 2013-07-24T09:03:45.943 回答