-2
我有這個PHP登錄腳本,應該輸入用戶名&密碼,檢查它與MySQL中的值(通過SHA1加密的密碼),然後將用戶重定向到「dash.php」if登錄成功或者如果不成功則打印錯誤。然而,無論何時我提交表單,它只是重新加載login.php ...我在某處做了一個愚蠢的錯誤還是我錯過了什麼?很抱歉這個巨大的帖子!行爲不當登錄腳本
login.php中(含表格):
//Form Action
<?php
error_reporting(E_ALL);
ini_set('display_errors','1');
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
require ('scripts/mysqli_connect.php');
require ('scripts/login_functions.php');
list ($check, $data) = check_login($dbc, $_POST['username'], $_POST['password']);
if($check) {
redirect_user('dash.php');
} else {
$errors = $data;
}
mysqli_close($dbc);
}
?>
// Website HTML
//Form
<form class="contact-form" method="post" action="login.php">
<div class="col-sm-5 col-sm-offset-1">
<div class="form-group">
<label>Username: </label>
<input type="text" name="username" id="username" size="15" class="form-control" required="required" placeholder="username">
</div>
<div class="form-group">
<label>Password: </label>
<input type="password" name="password" id="password" size="15" class="form-control" required="required" placeholder="password">
</div>
<div class="form-group">
<input type="submit" name="submit" value="Login" />
</div>
</div>
</form>
login_functions.php:
<?php
function redirect_user ($page = '../login.php') {
$url = "http://" . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);
$url = rtrim($url, '/\\');
$url .= '/' . $page;
//Redirect User
header("Location: $url");
exit(); //Quit the script.
}
function check_login($dbc, $username = '', $password = '') {
$errors = array();
if(empty($username)) {
$errors[] = 'You forgot to enter your username.';
} else {
$u = mysqli_real_escape_string($dbc, trim($username));
}
if(empty($password)) {
$errors[] = 'you forgot to enter your passord.';
} else {
$p = mysqli_real_escape_string($dbc, trim($password));
}
if (empty($errors)) {
$q = "SELECT username, password FROM users WHERE username='$u' AND password=sha1('$p')";
$r = @mysqli_query ($dbc, $q);
//Check Results
if(mysqli_num_rows($r) == 1) {
$row = mysqli_fetch_array ($r, MYSQLI_ASSOC);
return array(true, $row);
} else {
$errors[] = 'The username/password combination is incorrect.';
}
}
}
?>
[您的腳本存在SQL注入風險。](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)。你應該[使用正確的方法來使用PHP哈希密碼](http://jayblanchard.net/proper_password_hashing_with_PHP.html)。 –
您是否在重定向之前打印了某些內容?如果標題已發送,則無法重定向 – oscargilfc
@JayBlanchard OP正在轉義查詢中的所有值。是的,他們應該使用綁定參數,但是這不像寫入的那樣脆弱。 –