0
我目前正在爲我的php課程開展一個項目。該項目涉及製作登錄和註冊表單,並使用SQL查詢來驗證其信息。我大部分都可以工作,但如果從數據庫中鍵入電子郵件地址,並且您在密碼字段中輸入了任何內容(無論它是否正確),該頁面將允許您登錄。這裏是編碼,我有,用代碼首先顯示形式,命名爲「的login.php」:PHP登錄(密碼)驗證
<?php
ini_set("display_errors","on");
error_reporting(E_ALL | E_STRICT);
$labels = array("email" => "Email:",
"password" => "Password:");
$submit = "Submit";
?>
<!DOCTYPE HTML>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Login Form</title>
</head>
<body>
<h2>Login Form</h2>
<?php
echo "<form action='' method='POST'>";
foreach($labels as $field => $label)
{
if($field != "password")
{
echo("<div class='field'><label for='$field'>$label</label>
<input type='text' name='$field' id='$field' value='"[email protected]$$field."'></div>\n");
}
else
{
echo("<div class='field'><label for='$field'>$label</label>
<input type='password' name='$field' id='$field' value='"[email protected]$$field."'></div>\n");
}
}
echo"<div class='field'><input type='hidden' name='submitted' value='yes'>
<input type='submit' name='submit' value='$submit'></div>";
?>
</body>
</html>
下面的代碼驗證:
<?php
ini_set("display_errors","on");
error_reporting(E_ALL | E_STRICT);
include("dbinfo2.inc");
?>
<!DOCTYPE HTML>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Untitled Document</title>
<link href="css/styles.css" rel="stylesheet" type="text/css" />
</head>
<body>
<?php
if(isset($_POST['submitted']) and $_POST['submitted'] == "yes")
{
foreach($_POST as $field => $value)
{
if(empty($value) or !empty($value))
{
$email_patt = "/^[email protected]+\\..+$/";
if(preg_match("/email/i",$field))
{
if(!preg_match($email_patt,$value))
{
$error_array[] = $field;
}
}
if(preg_match("/password/i",$field))
{
if(empty($value))
{
$error_array[] = $field;
}
}
$good_data[$field] = strip_tags(trim($value));
}
}
if(@sizeof($error_array) > 0)
{
$message = "<p class='error'>Your login information is incorrect.</p>";
echo $message;
extract($good_data);
include("login.php");
exit();
}
else
{
$cxn = mysqli_connect($host,$user,$passwd,$dbname) or die("Couldn't connect to server.");
foreach($good_data as $field => $value)
{
$clean_data[$field] = mysqli_real_escape_string($cxn,$value);
}
$sql = "select * from customerdata where email='$good_data[email]' and password='$good_data[password]'";
$result = mysqli_query($cxn,$sql) or die("<p class='error'>Login information is invalid.</p>");
include("success.php");
}
}
else
{
include("login.php");
}
?>
</body>
</html>
什麼我需要改變使這個功能正確?
您不應該遍歷POST值,爲輸入使用一個合適的名稱,只需根據數據庫檢查該值,就會使其複雜化。對於生產站點,您絕不會這樣做,您不會存儲密碼,您可以存儲鹽漬散列。 – adeneo