0
我是PHP新手,正在創建一個簡單的登錄和預訂系統。我一直在驗證登錄頁面。它應該將用戶重定向到用戶菜單或管理菜單,但由於某些原因,即使密碼正確,它總是會返回「密碼不正確,請再次嘗試。單擊此處登錄」。問題是什麼?登錄後重定向管理員和用戶
checkLogin1.php
<?php
// Connects to your Database
mysql_connect("localhost", "root", "") or die(mysql_error());
mysql_select_db("maxizoo") or die(mysql_error());
//Checks if there is a login cookie
if (isset($_COOKIE['ID_my_site'])) {
//if there is, it logs you in and directes you to the members page
$uid = $_COOKIE['ID_my_site'];
$pass = $_COOKIE['Key_my_site'];
$check = mysql_query("SELECT * FROM registrants WHERE userid = '$uid'") or die(mysql_error());
while ($info = mysql_fetch_array($check)) {
if ($pass != $info['password']) {
} else {
if ($info['admin'] == '1') { // check the value of the 'admin' in the db
//go to admin area
header("Location: adminMenu.php");
} else {
//go to members area
header("Location: studentMenu.php");
}
}
}
}
//if the login form is submitted
if (isset($_POST['submit'])) { // if form has been submitted
// makes sure they filled it in
if (!$_POST['uid'] | !$_POST['pass']) {
die('You did not fill in a required field.');
}
// checks it against the database
if (!get_magic_quotes_gpc()) {
}
$check = mysql_query("SELECT * FROM registrants WHERE userid = '" . $_POST['uid'] . "'") or die(mysql_error());
//Gives error if user dosen't exist
$check2 = mysql_num_rows($check);
if ($check2 == 0) {
die('That user does not exist in our database. <a href=registration.php>Click Here to Register</a>');
}
while ($info = mysql_fetch_array($check)) {
$_POST['pass'] = stripslashes($_POST['pass']);
$info['password'] = stripslashes($info['password']);
$_POST['pass'] = md5($_POST['pass']);
//gives error if the password is wrong
if ($_POST['pass'] != $info['password']) {
die('Incorrect password, please try again. <a href=login.php>Click Here to Log In</a>');
} else {
// if login is ok then we add a cookie
$_POST['uid'] = stripslashes($_POST['uid']);
$hour = time() + 3600;
setcookie(ID_my_site, $_POST['uid'], $hour);
setcookie(Key_my_site, $_POST['pass'], $hour);
//then redirect them to the members area
header("Location: studenMenu.php");
}
}
} else {
// if they are not logged in
?>
<form action="checkLogin1.php" method="post">
<table border='1' cellpadding='5' cellspacing='0' bordercolor='#FF9900' bgcolor="#CCFFFF">
<tr><td colspan=2><h1>Login</h1></td></tr>
<tr><td>User ID:</td><td>
<input type="text" name="uid" maxlength="40">
</td></tr>
<tr><td>Password:</td><td>
<input type="password" name="pass" maxlength="50">
</td></tr>
<tr><td colspan="2" align="right">
<input type="submit" name="submit" value="Login">
</td></tr>
</table>
<br />
<a href="/hrd/orig/registration.php">Register Here</a>
</form>
<?php
}
?>
所以,我假設我們正在查看checkLogin1.php? – 2013-05-01 12:29:04
是的,這是checkLogin1.php – user2339288 2013-05-01 12:30:23
首先,你應該停止使用mysql_ *函數,並開始使用mysqli_ *或PDO函數。 其次你的代碼有SQL注入問題,你正在接受用戶輸入($ _POST),並把這個直接放入一個SQL查詢沒有任何形式的轉義,如果你不切換到mysqli,pdo或其他類型的數據庫訪問,至少使用http://php.net/manual/en/function.mysql-real-escape-string.php 第三,作爲一個新鮮的PHP用戶,我建議你使用預先滾動的身份驗證系統而不是構建因爲你有太多的陷阱,你不會意識到。 – Anigel 2013-05-01 12:32:00