1. 首頁
  2. 問答
  3. 登錄頁面接受任何密碼

登錄頁面接受任何密碼

2017-02-08 75 views
2

我有一個基於xamp的web服務器,並且我安裝了考勤系統,我有10個用戶通過單獨登錄進入他們的出勤登記頁面接受任何密碼並且不給出密碼錯誤。像你輸入用戶名[email protected] &密碼gfjhgh它的接受並進入索引頁面,原始密碼是123456,但它接受你輸入的每一件東西。請告訴我如何解決。它應該說你輸入了錯誤的密碼,並且無法登錄。登錄頁面接受任何密碼

代碼如下: - 完成註冊in.php

<?php 
// Check if install.php is present 
if(is_dir('install')) { 
    header("Location: install/install.php"); 
} else { 
    if(!isset($_SESSION)) session_start(); 

    // Access DB Info 
    include('config.php'); 

    // Get Settings Data 
    include ('includes/settings.php'); 
    $set = mysqli_fetch_assoc($setRes); 

    // Include Functions 
    include('includes/functions.php'); 

    // Include Sessions & Localizations 
    include('includes/sessions.php'); 

    // Check if the User is all ready signed in 
    if ((isset($_SESSION['tz']['userId'])) && ($_SESSION['tz']['userId'] != '')) { 
     header('Location: index.php'); 
    } 

    $msgBox = ''; 
    $installUrl = $set['installUrl']; 
    $siteName = $set['siteName']; 
    $siteEmail = $set['siteEmail']; 

    // Account Log In 
    if (isset($_POST['submit']) && $_POST['submit'] == 'signIn') { 
     if($_POST['emailAddy'] == '') { 
      $msgBox = alertBox($accEmailReq, "<i class='fa fa-times-circle'></i>", "danger"); 
     } else if($_POST['password'] == '') { 
      $msgBox = alertBox($accPassReq, "<i class='fa fa-times-circle'></i>", "danger"); 
     } else { 
      $usrEmail = htmlspecialchars($_POST['emailAddy']); 

      $check = "SELECT userId, userFirst, userLast, isActive FROM users WHERE userEmail = '".$usrEmail."'"; 
      $res = mysqli_query($mysqli, $check) or die('-1' . mysqli_error()); 
      $row = mysqli_fetch_assoc($res); 
      $count = mysqli_num_rows($res); 

      if ($count > 0) { 
       // If the account is Active - Allow the login 
       if ($row['isActive'] == '1') { 
        $userEmail = htmlspecialchars($_POST['emailAddy']); 
        $password = encodeIt($_POST['password']); 

        if($stmt = $mysqli -> prepare(" 
              SELECT 
               userId, 
               userEmail, 
               userFirst, 
               userLast, 
               location, 
               superUser, 
               isAdmin 
              FROM 
               users 
              WHERE 
               userEmail = ? 
               AND password = ? 
        ")) { 
         $stmt -> bind_param("ss", 
              $userEmail, 
              $password 
         ); 
         $stmt -> execute(); 
         $stmt -> bind_result(
            $userId, 
            $userEmail, 
            $userFirst, 
            $userLast, 
            $location, 
            $superUser, 
            $isAdmin 
         ); 
         $stmt -> fetch(); 
         $stmt -> close(); 

         if (!empty($userId)) { 
          if(!isset($_SESSION))session_start(); 
          $_SESSION['tz']['userId']  = $userId; 
          $_SESSION['tz']['userEmail'] = $userEmail; 
          $_SESSION['tz']['userFirst'] = $userFirst; 
          $_SESSION['tz']['userLast']  = $userLast; 
          $_SESSION['tz']['location']  = $location; 
          $_SESSION['tz']['superUser'] = $superUser; 
          $_SESSION['tz']['isAdmin']  = $isAdmin; 

          // Add Recent Activity 
          $activityType = '1'; 
          $tz_uid = $userId; 
          $activityTitle = $userFirst.' '.$userLast.' '.$accSignInAct; 
          updateActivity($tz_uid,$activityType,$activityTitle); 

          // Update the Last Login Date for User 
          $sqlStmt = $mysqli->prepare("UPDATE users SET lastVisited = NOW() WHERE userId = ?"); 
          $sqlStmt->bind_param('s', $userId); 
          $sqlStmt->execute(); 
          $sqlStmt->close(); 

          header('Location: index.php'); 
         } else { 
          // Add Recent Activity 
          $activityType = '0'; 
          $tz_uid = '0'; 
          $activityTitle = $accSignInErrAct; 
          updateActivity($tz_uid,$activityType,$activityTitle); 

          $msgBox = alertBox($accSignInErrMsg, "<i class='fa fa-warning'></i>", "warning"); 
         } 
        } 
       } else { 
        // Add Recent Activity 
        $activityType = '0'; 
        $tz_uid = $row['userId']; 
        $activityTitle = $row['userFirst'].' '.$row['userLast'].' '.$signInUsrErrAct; 
        updateActivity($tz_uid,$activityType,$activityTitle); 

        // If the account is not active, show a message 
        $msgBox = alertBox($inactAccMsg, "<i class='fa fa-warning'></i>", "warning"); 
       } 
      } else { 
       // Add Recent Activity 
       $activityType = '0'; 
       $tz_uid = '0'; 
       $activityTitle = $noAccSignInErrAct; 
       updateActivity($tz_uid,$activityType,$activityTitle); 

       // No account found 
       $msgBox = alertBox($noAccSignInErrMsg, "<i class='fa fa-times-circle'></i>", "danger"); 
      } 
     } 
    } 

    // Reset Account Password 
    if (isset($_POST['submit']) && $_POST['submit'] == 'resetPass') { 
     // Validation 
     if ($_POST['accountEmail'] == "") { 
      $msgBox = alertBox($accEmailReq, "<i class='fa fa-times-circle'></i>", "danger"); 
     } else { 
      $usrEmail = htmlspecialchars($_POST['accountEmail']); 

      $query = "SELECT userEmail FROM users WHERE userEmail = ?"; 
      $stmt = $mysqli->prepare($query); 
      $stmt->bind_param("s",$usrEmail); 
      $stmt->execute(); 
      $stmt->bind_result($emailUser); 
      $stmt->store_result(); 
      $numrows = $stmt->num_rows(); 

      if ($numrows == 1) { 
       // Generate a RANDOM Hash for a password 
       $randomPassword = uniqid(rand()); 

       // Take the first 8 digits and use them as the password we intend to email the Employee 
       $emailPassword = substr($randomPassword, 0, 8); 

       // Encrypt $emailPassword for the database 
       $newpassword = encodeIt($emailPassword); 

       //update password in db 
       $updatesql = "UPDATE users SET password = ? WHERE userEmail = ?"; 
       $update = $mysqli->prepare($updatesql); 
       $update->bind_param("ss", 
             $newpassword, 
             $usrEmail 
            ); 
       $update->execute(); 

       $qry = "SELECT userId, userFirst, userLast, isAdmin FROM users WHERE userEmail = '".$usrEmail."'"; 
       $results = mysqli_query($mysqli, $qry) or die('-2' . mysqli_error()); 
       $row = mysqli_fetch_assoc($results); 
       $theUser = $row['userId']; 
       $isAdmin = $row['isAdmin']; 
       $userName = $row['userFirst'].' '.$row['userLast']; 

       if ($isAdmin == '1') { 
        // Add Recent Activity 
        $activityType = '3'; 
        $activityTitle = $userName.' '.$admPassResetAct; 
        updateActivity($theUser,$activityType,$activityTitle); 
       } else { 
        // Add Recent Activity 
        $activityType = '3'; 
        $activityTitle = $userName.' '.$usrPassResetAct; 
        updateActivity($theUser,$activityType,$activityTitle); 
       } 

       $subject = $siteName.' '.$resetPassEmailSub; 

       $message = '<html><body>'; 
       $message .= '<h3>'.$subject.'</h3>'; 
       $message .= '<p>'.$resetPassEmail1.'</p>'; 
       $message .= '<hr>'; 
       $message .= '<p>'.$emailPassword.'</p>'; 
       $message .= '<hr>'; 
       $message .= '<p>'.$resetPassEmail2.'</p>'; 
       $message .= '<p>'.$resetPassEmail3.' '.$installUrl.'sign-in.php</p>'; 
       $message .= '<p>'.$emailTankYouTxt.'<br>'.$siteName.'</p>'; 
       $message .= '</body></html>'; 

       $headers = "From: ".$siteName." <".$siteEmail.">\r\n"; 
       $headers .= "Reply-To: ".$siteEmail."\r\n"; 
       $headers .= "MIME-Version: 1.0\r\n"; 
       $headers .= "Content-Type: text/html; charset=UTF-8\r\n"; 

       mail($usrEmail, $subject, $message, $headers); 

       $msgBox = alertBox($resetPassMsg1, "<i class='fa fa-check-square'></i>", "success"); 
       $stmt->close(); 
      } else { 
       // Add Recent Activity 
       $activityType = '1'; 
       $tz_uid = '0'; 
       $activityTitle = $resetPassMsgAct; 
       updateActivity($tz_uid,$activityType,$activityTitle); 

       // No account found 
       $msgBox = alertBox($resetPassMsg2, "<i class='fa fa-times-circle'></i>", "danger"); 
      } 
     } 
    }

來源

2017-02-08 Owesome Mahi

+0

爲什麼第二次選擇'用戶'? '$ row'應該已經有了所有信息,只需選擇密碼字段。我看到的第二件事是密碼檢查是基於'if(!empty($ userId))',而這又是基於['bind_result'](http://php.net/manual/en/mysqli -stmt.bind-result.php#refsect1-mysqli的-stmt.bind對結果returnvalues)。 Docs說,如果綁定失敗(即沒有返回行),'bind_result'將返回false。這不應該是決定登錄或失敗的'if'嗎? – urban

+0

一般來說,我會改變邏輯,只選擇一次所有必填字段。然後(1)檢查num行,(2)檢查激活的(3)編碼和比較通過......以上任何一個失敗,設置一條消息並返回 – urban

+0

如果你要用戶'header()'執行一個重定向,你應該在之後立即使用'exit;'。否則,由於沒有理由,您正在執行頁面的其餘部分。 –

回答

0

廣場

$stmt->store_result();

$stmt -> execute();和以前$stmt->bind_result(....);

確保放置在$stmt -> close()的結束你所有的條件。

和檢查什麼是您的$userId的結果返回之前,如果(!empty($userId)) { .... }

來源

2017-02-08 07:45:50 Muthu17

+0

我添加了$ stmt-> store_result();在$ stmt - > execute()之後;並在$ stmt-> bind_result(....)之前;並確保將$ stmt - > close()放在所有條件的末尾。但仍然所有的用戶都可以使用像klklfjnbjfhg每個密碼登錄,但原來的密碼是123456(你們可以請編輯正確的整個代碼,並給我??)我不是一個開發人員:( –

0

我加$ stmt-> store_result();在$ stmt - > execute()之後;並在$ stmt-> bind_result(....)之前;並確保將$ stmt - > close()放在所有條件的末尾。但仍然所有用戶都可以使用像klklfjnbjfhg每個密碼登錄,但原始密碼是123456

來源

2017-02-08 11:12:08

相關問題

 相關問題