1. 首頁
  2. 問答
  3. PHP登錄(密碼)驗證

PHP登錄(密碼)驗證

2015-04-15 246 views
0

我目前正在爲我的php課程開展一個項目。該項目涉及製作登錄和註冊表單,並使用SQL查詢來驗證其信息。我大部分都可以工作,但如果從數據庫中鍵入電子郵件地址,並且您在密碼字段中輸入了任何內容(無論它是否正確),該頁面將允許您登錄。這裏是編碼,我有,用代碼首先顯示形式,命名爲「的login.php」:PHP登錄(密碼)驗證

<?php 
ini_set("display_errors","on"); 
error_reporting(E_ALL | E_STRICT); 
$labels = array("email" => "Email:", 
"password" => "Password:"); 
$submit = "Submit"; 
?> 
<!DOCTYPE HTML> 
<html> 
<head> 
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"> 
<title>Login Form</title> 
</head> 

<body> 
<h2>Login Form</h2> 
<?php 
echo "<form action='' method='POST'>"; 
foreach($labels as $field => $label) 
{ 
    if($field != "password") 
    { 
     echo("<div class='field'><label for='$field'>$label</label> 
      <input type='text' name='$field' id='$field' value='"[email protected]$$field."'></div>\n"); 
    } 
    else 
    { 
     echo("<div class='field'><label for='$field'>$label</label> 
      <input type='password' name='$field' id='$field' value='"[email protected]$$field."'></div>\n"); 
    } 
} 
echo"<div class='field'><input type='hidden' name='submitted' value='yes'> 
    <input type='submit' name='submit' value='$submit'></div>"; 
?> 
</body> 
</html>

下面的代碼驗證:

<?php 
ini_set("display_errors","on"); 
error_reporting(E_ALL | E_STRICT); 
include("dbinfo2.inc"); 
?> 
<!DOCTYPE HTML> 
<html> 
<head> 
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"> 
<title>Untitled Document</title> 
<link href="css/styles.css" rel="stylesheet" type="text/css" /> 
</head> 

<body> 
<?php 
if(isset($_POST['submitted']) and $_POST['submitted'] == "yes") 
{ 
    foreach($_POST as $field => $value) 
    { 
     if(empty($value) or !empty($value)) 
     { 
      $email_patt = "/^[email protected]+\\..+$/"; 
      if(preg_match("/email/i",$field)) 
      { 
       if(!preg_match($email_patt,$value)) 
       { 
        $error_array[] = $field; 
       } 
      } 
      if(preg_match("/password/i",$field)) 
      { 
       if(empty($value)) 
       { 
        $error_array[] = $field; 
       } 
      } 
      $good_data[$field] = strip_tags(trim($value)); 
     } 
    } 
    if(@sizeof($error_array) > 0) 
    { 
     $message = "<p class='error'>Your login information is incorrect.</p>"; 
     echo $message; 
     extract($good_data); 
     include("login.php"); 
     exit(); 
    } 
    else 
    { 
     $cxn = mysqli_connect($host,$user,$passwd,$dbname) or die("Couldn't connect to server."); 
     foreach($good_data as $field => $value) 
     { 
      $clean_data[$field] = mysqli_real_escape_string($cxn,$value); 
     } 
     $sql = "select * from customerdata where email='$good_data[email]' and password='$good_data[password]'"; 
     $result = mysqli_query($cxn,$sql) or die("<p class='error'>Login information is invalid.</p>"); 
     include("success.php"); 
    } 
} 
else 
{ 
    include("login.php"); 
} 
?> 
</body> 
</html>

什麼我需要改變使這個功能正確?

來源

2015-04-15 Jordan U.

+1

您不應該遍歷POST值,爲輸入使用一個合適的名稱,只需根據數據庫檢查該值,就會使其複雜化。對於生產站點,您絕不會這樣做,您不會存儲密碼,您可以存儲鹽漬散列。 – adeneo

回答

1

您的成功/失敗條件不應該是mysqli_query調用的結果。這隻會表明查詢是否成功執行。 (http://php.net/manual/en/mysqli.query.php

您登錄始終成功,因爲您的查詢在語法上是有效的並且運行時沒有錯誤。

您需要檢查返回的行數以確認其中只有一行。

來源

2015-04-15 20:32:36 cmason

相關問題

 相關問題