1

我有下表

登录

IdUser(整数)

用户名(varchar)

密码(varchar)

电子邮件(varchar)

主动(整数)

Active 为 0 或 1,具体取决于用户的电子邮件是否经过验证。如果验证了帐户,则表中的活动行将更新为 1。如果未验证帐户,则表中的活动行保持为 0。

用户只有在其帐户经过验证后才能登录。

到目前为止,我的登录是这样的:

//login API
function login($user, $pass) {

// try to match a row in the "login" table for the given username and password
$result = query("SELECT IdUser, username FROM login WHERE username='%s' AND pass='%s' limit 1", $user, $pass);

if (count($result['result'])>0) {
    // a row was found in the database for username/pass combination
    // save a simple flag in the user session, so the server remembers that the user is authorized
    $_SESSION['IdUser'] = $result['result'][0]['IdUser'];
    // print out the JSON of the user data to the iPhone app; it looks like this:
    // {IdUser:1, username: "Name"}
    print json_encode($result);
} else {
    // no matching username/password was found in the login table
    errorJson('Authorization failed');
}
}

我将如何只为经过验证的用户提供登录权限?

4

4 回答 4

0

好吧,除非我在您的描述中遗漏了某些内容,否则您似乎只需在子句中添加AND active=1一个WHERE。所以你最终会得到:

SELECT IdUser, username FROM login WHERE username='%s' AND pass='%s' AND active=1  limit 1

更新

//login API
function login($user, $pass) {

    // try to match a row in the "login" table for the given username and password
    $result = query("SELECT IdUser, username, active, email FROM login WHERE username='%s' AND pass='%s' limit 1", $user, $pass);

    if (count($result['result'])>0) {
        // a row was found in the database for username/pass combination
        if (!$result['result'][0]['active']) {
            // not activated yet
            errorJson('Not activated yet: ' + $result['result'][0]['email']);

        } else {
            // save a simple flag in the user session, so the server remembers that the user is authorized
            $_SESSION['IdUser'] = $result['result'][0]['IdUser'];
            // print out the JSON of the user data to the iPhone app; it looks like this:
            // {IdUser:1, username: "Name"}
            print json_encode($result);
        }
    } else {
        // no matching username/password was found in the login table
        errorJson('Authorization failed');
    }
}

顺便说一句,正如其他提到的,您的代码似乎对 SQL 注入敏感,并且您似乎将密码以原始文本形式存储在数据库中,这是一种非常糟糕的做法。您应该考虑使用 mysqli + 占位符进行查询。您还应该在过程中的任何时候散列密码。一个简单的方法(虽然不是最好的)可能是使用 MySQL 的密码功能。因此,您的查询将简单地更改为:

$result = query("SELECT IdUser, username, active, email FROM login WHERE username=? AND password=PASSWORD(?) limit 1", $user, $pass);
于 2013-10-24T03:40:47.333 回答
0

只需在查询中添加AND active = 1之前limit 1

顺便说一句,您的代码存在一些更广泛的问题:

  • 避免将密码直接存储在数据库中,例如使用 bcrypt
  • 使用 mysqli 或其他带有准备好的语句的数据库接口来避免 SQL 注入
于 2013-10-24T03:43:14.980 回答
0

这里:

$result = query("SELECT IdUser, username FROM login WHERE username='%s' AND pass='%s' AND emailVerified='1' limit 1", $user, $pass);

其中 emailVerified 是您的电子邮件验证状态字段名称,将其替换为您自己的

于 2013-10-24T03:43:33.810 回答
0

首先您必须检查用户是否处于活动状态

select active from login where username='%s';//execute this query and check result and store in active..

if(!$active)
{
errorJson("your account is not activated yet!);
}
else
{
//login code
}
于 2013-10-24T03:46:10.047 回答