1. 首頁
  2. 問答
  3. 行爲不當登錄腳本

行爲不當登錄腳本

2015-06-10 14 views
-2

我有這個PHP登錄腳本,應該輸入用戶名&密碼,檢查它與MySQL中的值(通過SHA1加密的密碼),然後將用戶重定向到「dash.php」if登錄成功或者如果不成功則打印錯誤。然而,無論何時我提交表單,它只是重新加載login.php ...我在某處做了一個愚蠢的錯誤還是我錯過了什麼?很抱歉這個巨大的帖子!行爲不當登錄腳本

login.php中(含表格):

//Form Action 
<?php 

error_reporting(E_ALL); 
ini_set('display_errors','1'); 

if ($_SERVER['REQUEST_METHOD'] == 'POST') { 

    require ('scripts/mysqli_connect.php'); 

    require ('scripts/login_functions.php'); 


    list ($check, $data) = check_login($dbc, $_POST['username'], $_POST['password']); 

    if($check) { 

     redirect_user('dash.php'); 
    } else { 
     $errors = $data; 
    } 

    mysqli_close($dbc); 
} 

?> 

// Website HTML 

//Form 
<form class="contact-form" method="post" action="login.php"> 
        <div class="col-sm-5 col-sm-offset-1"> 
         <div class="form-group"> 
          <label>Username: </label> 
          <input type="text" name="username" id="username" size="15" class="form-control" required="required" placeholder="username"> 
         </div> 
         <div class="form-group"> 
          <label>Password: </label> 
          <input type="password" name="password" id="password" size="15" class="form-control" required="required" placeholder="password"> 
         </div>       
         <div class="form-group"> 
          <input type="submit" name="submit" value="Login" /> 
         </div> 
        </div> 
       </form>

login_functions.php:

<?php 

function redirect_user ($page = '../login.php') { 
    $url = "http://" . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']); 

    $url = rtrim($url, '/\\'); 

    $url .= '/' . $page; 

    //Redirect User 

    header("Location: $url"); 
    exit(); //Quit the script. 

} 


function check_login($dbc, $username = '', $password = '') { 
    $errors = array(); 

    if(empty($username)) { 
     $errors[] = 'You forgot to enter your username.'; 
    } else { 
     $u = mysqli_real_escape_string($dbc, trim($username)); 
    } 

    if(empty($password)) { 
     $errors[] = 'you forgot to enter your passord.'; 
    } else { 
     $p = mysqli_real_escape_string($dbc, trim($password)); 
    } 

    if (empty($errors)) { 

     $q = "SELECT username, password FROM users WHERE username='$u' AND password=sha1('$p')"; 
     $r = @mysqli_query ($dbc, $q); 


     //Check Results 

     if(mysqli_num_rows($r) == 1) { 

      $row = mysqli_fetch_array ($r, MYSQLI_ASSOC); 

      return array(true, $row); 
     } else { 
      $errors[] = 'The username/password combination is incorrect.'; 
     } 
    } 

} 


?>

來源

2015-06-10 htmlboss

+2

[您的腳本存在SQL注入風險。](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)。你應該[使用正確的方法來使用PHP哈希密碼](http://jayblanchard.net/proper_password_hashing_with_PHP.html)。 –

+0

您是否在重定向之前打印了某些內容?如果標題已發送,則無法重定向 – oscargilfc

+0

@JayBlanchard OP正在轉義查詢中的所有值。是的,他們應該使用綁定參數,但是這不像寫入的那樣脆弱。 –

回答

1

不必返回你的錯誤:

return array(true, $row); 
} else { 
    $errors[] = 'The username/password combination is incorrect.'; 
    $return array(false, $errors); 
}

而且你不顯示您錯誤:

// Website HTML 

<?php if ($errors):?>  
    <?php echo '<p>' . implode('</p><p>', $errors) . '<p>';?> 
<?php endif;?> 
//Form 
<form class="contact-form" method="post" action="login.php">

來源

2015-06-10 22:07:35 Steve

+0

史蒂夫的有益說明。首先檢查錯誤。你可以在你的瀏覽器上找到你的開發工具,點擊網絡部分,你將可以看到你的電話和響應數據。 –

相關問題

 相關問題