Php登錄問題

Question

以下是我的php登錄腳本，有一個問題。如果我把任何密碼，那麼它不驗證密碼，它會進入用戶面板頁面。哪裏是我的代碼中的錯誤，誰能告訴我正確的方向

N：B：我在PHP新也是新的在這個網站。

<?php 
if(isset($_POST['action']) && isset($_POST['action']) == 'Log In') 
{ 
$uname = mysql_real_escape_string(trim(htmlspecialchars($_POST['uname']))); 
$pass = mysql_real_escape_string(trim(htmlspecialchars($_POST['pass']))); 

$crytpass = hash('sha512','$pass'); 
$err = array(); 

include_once("toplevel/content/manage/dbcon/dbcon.php"); 

// check username 
$check_uname = mysql_query("SELECT uname FROM members WHERE uname = '$uname'"); 
$num_uname = mysql_num_rows($check_uname); 

// check password 
$check_pass = mysql_query("SELECT pass FROM members WHERE pass = '$crytpass'"); 
$num_pass = mysql_num_rows($check_pass); 

/// userid 

$userid = mysql_query("SELECT userid FROM members");  
$re = mysql_fetch_array($userid); 
$userid = (int) $re['userid']; 


if(isset($uname) && isset($pass)) 
{ 
    if(empty($uname) && empty($pass)) 
     $err[] = "All field required"; 
    else 
    { 
     // username validation process.... 

     if(empty($uname)) 
      $err[] = "Username required"; 
     else 
     { 
      if($num_uname == 0)   
      $err[] = "Username is not correct"; 
     } 

     // password validaiton process... 

     if(empty($pass)) 
      $err[] = "Password required";    
     else 
     { 
      if($num_pass == 0) 
      $err[] = "Password is not correct";   
     } 

    } 
} 

if(!empty($err)) 
{ 
    foreach($err as $er) 
    { 
     echo "<font color=red>$er<br></font>"; 
    } 
} 
else 
{ 
    include("user/include/newsession.php");     
     header("Location:user/index.php");      

} 

} 
?> 

Answer 1

所以很多事情都錯了

更換

if (isset ($_POST ['action']) && isset ($_POST ['action']) == 'Log In') { 

隨着

if (isset ($_POST ['action']) && $_POST ['action'] == 'Log In') { 

太多的東西來代替..堅持，而我重寫劇本適合你

編輯1

if (isset ($_POST ['action']) && $_POST ['action'] == 'Log In') { 
    $uname = prepareStr ($_POST ['uname']); 
    $pass = prepareStr ($_POST ['pass']); 
    $shaPass = hash ('sha512', $pass); 
    $errors = array(); 

    include_once ("toplevel/content/manage/dbcon/dbcon.php"); 

    if (! isset ($uname) || empty ($uname)) { 
     $err [] = "Empty Username not allowed"; 
    } 

    if (! isset ($pass) || empty ($pass)) { 
     $err [] = "Empty Password not allowed"; 
    } 

    if (count ($err) == 0) { 
     $mysqli = new mysqli ("localhost", "root", "", "test"); // Replace with 
                    // DB 
                    // Information 
     $result = "SELECT uname ,pass FROM members WHERE uname = '$uname' AND pass = '$shaPass'"; 

     if ($result->num_rows > 0) { 
      $err [] = "Invalid username or Password"; 
     } 

     if (count ($err) == 0 && $result) { 
      $userInfo = $result->fetch_assoc(); 
     /** 
     * You can do what every you like here 
     */ 
     } 
    } 

    if (count ($err) > 0) { 
     /** 
     * Kill the user 
     */ 

     echo "<pre>"; 

     foreach ($err as $value) { 
      echo $value . "\n"; 
     } 
     die ("Die! Die! Die!"); 
    } 

} 

function prepareStr($str) { 
    $str = htmlspecialchars ($str); 
    $str = trim ($str); 
    $str = mysql_real_escape_string ($str); 

    return $str; 
} 

感謝

Answer 2

你不應該告訴你的用戶，如果用戶名是錯誤的，這使得它更容易蠻力attemps破門而入。

<?php 
if(isset($_POST['action']) && $_POST['action'] == 'Log In') { 
    $userid = false; 
    $uname = mysql_real_escape_string(trim(htmlspecialchars($_POST['uname']))); 
    // or better 
    // $uname = filter_var($_POST['uname'], FILTER_SANITIZE_STRING); 
    $pass = $_POST['pass']; 

    $crytpass = hash('sha512',$pass); 
    $err = array(); 

    include_once("toplevel/content/manage/dbcon/dbcon.php"); 

    $q = mysql_query("SELECT userid FROM members WHERE uname = '$uname' AND pass='$cryptpass'"); 

    if(mysql_num_rows($q) > 0){ 
     $re = mysql_fetch_array($q); 
     $userid = (int) $re['userid']; 
    } else { 
     // username or password wrong 
    ) 

    if($userid) { 
     // successfull login 
    } 

}