0

我为我的网页创建了一个登录系统,但是当我输入用户名和密码时,它无法通过该过程的第一阶段。任何人对问题可能有任何想法,我提供了下面的代码。

if(!$_POST['client_username'] || !$_POST['client_password']) {
                    die('You did not fill in a required field.');
                }



                if (!get_magic_quotes_gpc()) {
                    $_POST['client_username'] = addslashes($_POST['client_username']);
                }

                $qry = "SELECT client_username, client_password FROM client WHERE client_username = '".$_POST['client_username']."'";
                $result = mysql_query($qry);

                if($result) {
                if(mysql_num_rows($result) == 1) {
                       die('That username does not exist in our database.');
                    }
                }


                // check passwords match

                $_POST['client_password'] = stripslashes($_POST['client_password']);
                $info['client_password'] = stripslashes($info['client_password']);
                $_POST['client_password'] = md5($_POST['client_password']);

                if ($_POST['client_password'] != $info['client_password']) {
                    die('Incorrect password, please try again.');
                }

                // if we get here username and password are correct, 
                //register session variables and set last login time.

                $client_last_access = 'now()';

                $qry = "UPDATE client SET client_last_access = '$client_last_access' WHERE client_username = '".$_POST['client_username']."'";
                if(!mysql_query($insert,$con)) {
                die('Error: ' . mysql_error());
                }

                else{

                $_POST['client_username'] = stripslashes($_POST['client_username']);
                $_SESSION['client_username'] = $_POST['client_username'];
                $_SESSION['client_password'] = $_POST['client_password'];


                echo '<script>alert("Welcome Back");</script>';
                echo '<meta http-equiv="Refresh" content="0;URL=pv.php">';
                }

当我填写用户名和密码时,它在第一阶段死亡并显示消息: 您没有填写必填字段。

4

2 回答 2

3

你应该使用 || 而不是简单的|。

我心情很好。这是你的代码。它应该工作。

<?php

if( empty( $_POST['client_username'] ) || empty( $_POST['client_password'] ) ) {
    die('You did not fill in a required field.');
}

$qry = sprintf( "SELECT client_username, client_password FROM client WHERE client_username = '%s' LIMIT 1", mysql_real_escape_string( $_POST['client_username'] ) );
$result = mysql_query( $qry );

if( $result ) {
    if( mysql_num_rows( $result ) == 0 ) {
        die('That username does not exist in our database.');
    }
}

// where the f**k do you get your info? i added some.
$info = mysql_fetch_assoc( $result );

if( md5( $_POST['client_password'] ) != $info['client_password'] ) {
    die('Incorrect password, please try again.');
}

// if we get here username and password are correct, 
//register session variables and set last login time.
$qry = sprintf( "UPDATE client SET client_last_access = NOW() WHERE client_username = '%s'", $info['client_username'] );
if( !mysql_query( $qry ) ) {
    die('Error: ' . mysql_error() );
} else {
    $_SESSION['client_username'] = $info['client_username'];
    $_SESSION['client_password'] = $info['client_password'];

    echo '<script>alert("Welcome Back");</script>';
    echo '<meta http-equiv="Refresh" content="0;URL=pv.php">';
}
于 2011-11-29T10:46:12.930 回答
1

您的登录代码包含导致安全问题的严重缺陷。简而言之:magic_quotes 兼容性SQL 注入。我不覆盖它们。您在问题中强调的问题是|||在第一阶段if条款中的意思:

  if (!$_POST['client_username'] || !$_POST['client_password'])
                                 ^^

请参阅逻辑运算符文档。您使用了按位运算符Docs

于 2011-11-29T10:48:26.850 回答