2014-09-21 81 views
0

我可以註冊一個用戶,但是當我嘗試用它登錄,我有2個問題:我的登錄信息將無法正常工作

1:我可以登錄使用的用戶名,但我也能鍵入任何我想要的密碼輸入部分,我仍然登錄(它不檢查數據庫中的真實密碼)

2:當我嘗試使用電子郵件和密碼的組合,然後我無法登錄在我只收到錯誤消息。

我在想問題在於我的$query select FROM members bla bla ...但我不確定。
對不起,這樣的菜鳥。

這是register.php

<form method="post" action=""> 

<input type="text" name="username" placeholder="USERNAME"> 

<input type="password" name="password1" placeholder="PASSWORD"> 

<input type="password" name="password2" placeholder="CONFIRM PASSWORD"> 

<input type="text" name="email" placeholder="E-MAIL"> 

<input type="date" name="age" id="age" > 


<input type="radio" value="male" name="gender" checked> 
<input type="radio" value="female" name="gender"> 


<input type="submit" value="SIGN UP" name="create_member"> 
</form> 



<?php 

require_once ("core/connect.php"); 

if(isset($_POST['create_member'])) 
{ 
    $username = mysqli_real_escape_string($dbc, trim ($_POST['username'])); 
    $password1 = mysqli_real_escape_string($dbc, trim ($_POST['password1'])); 
    $password2 = mysqli_real_escape_string($dbc, trim ($_POST['password2'])); 
    $email = mysqli_real_escape_string($dbc, trim ($_POST['email'])); 
    $age = mysqli_real_escape_string($dbc, trim ($_POST['age'])); 
    $gender = mysqli_real_escape_string($dbc, trim ($_POST['gender'])); 

    if($password1 != $password2) 
    { 
     echo 'THE TWO PASSWORDS ARE NOT THE SAME'; 
    } 

    $hash = hash('sha256', $password1); 

    function createSalt() 
    { 
     $text = md5(uniqid(rand(), true)); 
     return substr($text, 0, 3); 
    } 

    $salt = createSalt(); 
    $password = hash('sha256', $salt . $hash); 

    if(!empty($username) && !empty($email) && !empty($password) && !empty($age) && !empty($gender)) 

    { 
     $query_ind = "INSERT INTO members VALUES ('', '$username', '$password', '$email', '$age' , '$gender', '$salt', NOW())"; 
     mysqli_query($dbc, $query_ind); 

    } 
    else 
    { 
     echo "FILL OUT THE FORM PLEASE"; 
    } 
} 
?> 

,這是login.php中

<?php 

$error_msg = ''; 

    if (isset($_POST['member_login'])) 
    { 
     // Grab the user-entered log-in data 
     $member_username = mysqli_real_escape_string($dbc, trim($_POST['username'])); 
     $member_email = mysqli_real_escape_string($dbc, trim($_POST['username'])); 
     $member_password = mysqli_real_escape_string($dbc, trim($_POST['password'])); 


     if (!empty($member_username) && !empty($member_password)) 
     { 
      // Look up the username and password in the database 
      $query = "SELECT * FROM members WHERE member_username = '$member_username' OR member_email = '$member_email' AND member_password = '$member_password'"; // SHA('$member_password')"; 

      $data = mysqli_query($dbc, $query); 

      if (mysqli_num_rows($data) == 1) 
      { 
       // The log-in is OK so set the user ID and username session vars (and cookies), and redirect to the home page 
       $row = mysqli_fetch_array($data); 

       $_SESSION['member_id'] = $row['member_id']; 
       $_SESSION['member_username'] = $row['member_username']; 
       $_SESSION['member_email'] = $row['member_email']; 

       setcookie('member_id', $row['member_id'], time() + (60 * 60 * 24 * 7)); // expires in 7 days 
       setcookie('member_username', $row['member_username'], time() + (60 * 60 * 24 * 7)); // expires in 7 days 
       setcookie('member_email', $row['member_email'], time() + (60 * 60 * 24 * 7)); // expires in 7 days 

       header('Location: ' . $_SERVER['PHP_SELF'] . '?page=mlog_in'); 


      } 
      else 
      { 
       // The username/password are incorrect so set an error message 
       $error_msg = ' INCORRECT INFOMATION, TRY AGAIN. '; 
      } 
     } 
     else 
     { 
     // The username/password weren't entered so set an error message 
     $error_msg = ' INCORRECT INFOMATION, TRY AGAIN. '; 
     } 
    } 

    mysqli_close($dbc); 

if(!isset($_SESSION['member_id'])) 
{ 
    ?> 
      <div class="sixteen columns"> 
      <h2>LOGIN</h2> 
      <form action="<?php echo $_SERVER['PHP_SELF']?>" method="post" class="sixteen columns"> 

      <input required type="text" name="username" placeholder="USERNAME/E-MAIL"/> 
      <input required type="password" name="password" placeholder="PASSWORD" /> 

      <input required type="submit" name="member_login" value="LOGIN" /> 

      <input type="checkbox" name="remember" value="1"><span>REMEMBER ME</span> 

       <?php 
        echo '<p>' . $error_msg . '</p>'; 
       ?> 

      <?php 
      echo '<a href="index.php?page=register" title="CLICK TO SIGN UP">MAKE A PROFILE</a>'; 
      ?> 


     </form> 
     </div> 

    <?php 
} 


    else 
{ 
    $profile = ''; 
    if(isset($_GET['profile'])) 
    { 
     $profile = $_GET['profile']; 
    } 

    ?> 


    <?php 
     switch($profile) 
     { 

      default : 
       require_once 'profile/userpage.php'; 
      break; 

     } 
} 

?> 
+1

您需要使用密碼對鹽進行散列。並且您不重新計算它以驗證密碼。 – 2014-09-21 00:55:22

+0

「重新計算」它來驗證密碼是什麼意思? – 2014-09-21 01:29:19

回答

0

你的SQL查詢只要符合member_username = '$member_username'member_email = '$member_email' AND member_password = '$member_password' 嘗試將其更改爲

SELECT * 
FROM members 
WHERE member_password = '$member_password' 
AND (member_username = '$member_username' OR member_email = '$member_email'); 

請參閱Operator Precedence in Mysql for m礦石信息。

1

有兩個問題與您的登錄。兩者都與您的SELECT有關,但是由於不同的原因。

首先,邏輯運算符AND和OR只是:運營商。像數學運算符一樣,它們有一個操作順序。 與添加之前進行乘法的方式相同,您可以在OR之前進行。

現在讓我們來仔細看看你的選擇,而對於清晰度替代幾個變量。

WHERE username=$username OR email=$email AND password=$password 

如果我們按照操作順序的意思是「email = $ email and password = $ password」將首先被評估。如果他們試圖使用用戶名登錄,這將始終是錯誤的,因爲用戶名不等於電子郵件。新的公式是這樣的:

WHERE username=$username OR false 

因爲他們正試圖用一個用戶名登錄,則表達式的第一部分將評估爲真,這意味着整個表達式的值爲true。這就是爲什麼當你嘗試用用戶名登錄時,使用什麼密碼並不重要。

現在,如果他們試圖利用電子郵件進行登錄。在這種情況下,您忘記了散列密碼,因此數據庫密碼永遠不會匹配密碼變量。

希望清除它。