2012-04-05 147 views
-6

以下是我的php登錄腳本,有一個問題。如果我把任何密碼,那麼它不驗證密碼,它會進入用戶面板頁面。哪裏是我的代碼中的錯誤,誰能告訴我正確的方向Php登錄問題

N:B:我在PHP新也是新的在這個網站。

<?php 
if(isset($_POST['action']) && isset($_POST['action']) == 'Log In') 
{ 
$uname = mysql_real_escape_string(trim(htmlspecialchars($_POST['uname']))); 
$pass = mysql_real_escape_string(trim(htmlspecialchars($_POST['pass']))); 

$crytpass = hash('sha512','$pass'); 
$err = array(); 

include_once("toplevel/content/manage/dbcon/dbcon.php"); 

// check username 
$check_uname = mysql_query("SELECT uname FROM members WHERE uname = '$uname'"); 
$num_uname = mysql_num_rows($check_uname); 

// check password 
$check_pass = mysql_query("SELECT pass FROM members WHERE pass = '$crytpass'"); 
$num_pass = mysql_num_rows($check_pass); 

/// userid 

$userid = mysql_query("SELECT userid FROM members");  
$re = mysql_fetch_array($userid); 
$userid = (int) $re['userid']; 


if(isset($uname) && isset($pass)) 
{ 
    if(empty($uname) && empty($pass)) 
     $err[] = "All field required"; 
    else 
    { 
     // username validation process.... 

     if(empty($uname)) 
      $err[] = "Username required"; 
     else 
     { 
      if($num_uname == 0)   
      $err[] = "Username is not correct"; 
     } 

     // password validaiton process... 

     if(empty($pass)) 
      $err[] = "Password required";    
     else 
     { 
      if($num_pass == 0) 
      $err[] = "Password is not correct";   
     } 

    } 
} 

if(!empty($err)) 
{ 
    foreach($err as $er) 
    { 
     echo "<font color=red>$er<br></font>"; 
    } 
} 
else 
{ 
    include("user/include/newsession.php");     
     header("Location:user/index.php");      

} 

} 
?> 
+1

我認爲你需要閱讀一些PHP基礎知識。我想你明白了基本的想法,你只需要弄清楚什麼時候使用什麼功能來達到目的。 – 2012-04-05 13:19:23

+0

爲什麼你要做三個不同的查詢來從你的'members'表中獲取數據?您在第一個查詢中選擇了一個字段,在下一個查詢中選擇了一些(不一定相關)用戶的加密密碼,然後在成員表中選擇*每個用戶id。 – Crontab 2012-04-05 13:19:27

+2

你應該做1查詢檢查所有發佈的值,溝這個代碼,並重新開始.. – 2012-04-05 13:20:26

回答

2

所以很多事情都錯了

更換

if (isset ($_POST ['action']) && isset ($_POST ['action']) == 'Log In') { 

隨着

if (isset ($_POST ['action']) && $_POST ['action'] == 'Log In') { 

太多的東西來代替..堅持,而我重寫劇本適合你

編輯1

if (isset ($_POST ['action']) && $_POST ['action'] == 'Log In') { 
    $uname = prepareStr ($_POST ['uname']); 
    $pass = prepareStr ($_POST ['pass']); 
    $shaPass = hash ('sha512', $pass); 
    $errors = array(); 

    include_once ("toplevel/content/manage/dbcon/dbcon.php"); 

    if (! isset ($uname) || empty ($uname)) { 
     $err [] = "Empty Username not allowed"; 
    } 

    if (! isset ($pass) || empty ($pass)) { 
     $err [] = "Empty Password not allowed"; 
    } 

    if (count ($err) == 0) { 
     $mysqli = new mysqli ("localhost", "root", "", "test"); // Replace with 
                    // DB 
                    // Information 
     $result = "SELECT uname ,pass FROM members WHERE uname = '$uname' AND pass = '$shaPass'"; 

     if ($result->num_rows > 0) { 
      $err [] = "Invalid username or Password"; 
     } 

     if (count ($err) == 0 && $result) { 
      $userInfo = $result->fetch_assoc(); 
     /** 
     * You can do what every you like here 
     */ 
     } 
    } 

    if (count ($err) > 0) { 
     /** 
     * Kill the user 
     */ 

     echo "<pre>"; 

     foreach ($err as $value) { 
      echo $value . "\n"; 
     } 
     die ("Die! Die! Die!"); 
    } 

} 

function prepareStr($str) { 
    $str = htmlspecialchars ($str); 
    $str = trim ($str); 
    $str = mysql_real_escape_string ($str); 

    return $str; 
} 

感謝

+0

非常感謝,@Baba我正在等待... – user1295995 2012-04-05 13:22:21

+2

kudo的這樣做... – 2012-04-05 13:22:26

+0

+1 @Hans Wassink爲表彰 – Baba 2012-04-05 13:31:22

1

你不應該告訴你的用戶,如果用戶名是錯誤的,這使得它更容易蠻力attemps破門而入。

<?php 
if(isset($_POST['action']) && $_POST['action'] == 'Log In') { 
    $userid = false; 
    $uname = mysql_real_escape_string(trim(htmlspecialchars($_POST['uname']))); 
    // or better 
    // $uname = filter_var($_POST['uname'], FILTER_SANITIZE_STRING); 
    $pass = $_POST['pass']; 

    $crytpass = hash('sha512',$pass); 
    $err = array(); 

    include_once("toplevel/content/manage/dbcon/dbcon.php"); 

    $q = mysql_query("SELECT userid FROM members WHERE uname = '$uname' AND pass='$cryptpass'"); 

    if(mysql_num_rows($q) > 0){ 
     $re = mysql_fetch_array($q); 
     $userid = (int) $re['userid']; 
    } else { 
     // username or password wrong 
    ) 

    if($userid) { 
     // successfull login 
    } 

}

+0

謝謝@Rufinus ... – user1295995 2012-04-05 13:29:16