1. 首頁
  2. 問答
  3. 如何禁用用戶帳戶php/mysql

如何禁用用戶帳戶php/mysql

2017-08-08 89 views
0

我想擁有可以啓用或禁用的用戶帳戶。如何禁用用戶帳戶php/mysql

我在我的表中設置爲yes或no的活動字段。

這是我的登錄頁面的代碼。

<?php 
/* User login process, checks if user exists and password is correct */ 

require_once 'includes/db.php'; 

// Escape email to protect against SQL injections 
$email = $mysqli->escape_string($_POST['email']); 
$result = $mysqli->query("SELECT * FROM dxd_membership WHERE email='$email'"); 
if ($result->num_rows == 0){ // User doesn't exist 
$_SESSION['message'] = "User with that email doesn't exist!"; 
header("location: error.php"); 
} 
else { // User exists 
    $user = $result->fetch_assoc(); 
$active = $mysqli->query("SELECT * FROM dxd_membership WHERE email = '$email' AND active = 'YES'"); 

if ($active == '1') 
{ 
    if (password_verify($_POST['password'], $user['password'])) { 
     $userid = $_SESSION['userid']; 
     $_SESSION['email'] = $user['email']; 
     $_SESSION['firstname'] = $user['firstname']; 
     $_SESSION['lastname'] = $user['lastname']; 
     $_SESSION['username'] = $user['username']; 
     $_SESSION['paynum'] = $user['paynum']; 
     $_SESSION['empnum'] = $user['empnum']; 
     $_SESSION['phone'] = $user['phone']; 
     $_SESSION['active'] = $user['active']; 
     $_SESSION['lastlogin'] = $user['lastlogin']; 
     $_SESSION['signup'] = $user['signup']; 
     $_SESSION['lastupdate'] = $user['lastupdate']; 

     // This is how we'll know the user is logged in 
     $_SESSION['logged_in'] = true; 

     $update = $mysqli->query("UPDATE dxd_membership SET lastlogin=NOW() WHERE email = '$email'"); 

     header("location: welcome.php"); 
    } 

    else { 
     $_SESSION['message'] = "You have entered wrong password please try again!"; 
     header("location: error.php"); 
    } 
} 

else { 
    header("location: disabled.php"); 
} 
} 
?>

我相信這是一個愚蠢的錯誤,我這裏有,但它不會檢查活動字段,然後要麼讓用戶登錄到頁面的welcome.php如果活躍是肯定的或發送給殘疾人。如果他們的帳戶活動被設置爲no(禁用),則爲php頁面。

任何人都可以幫助我糾正代碼,使其工作。

感謝

來源

2017-08-08 Boxecutor

+1

爲什麼'$ active =='1'',如果你得到一個回報,你知道活動是1. – chris85

回答

1

看,我看到你的代碼中的幾個問題。首先是對相同數據的雙重查詢。你可以簡化這整個事情到一個查詢。

另一個(也是更重要的)事實是,您只是將數據附加到SQL查詢中,MySQLi的整個目標是通過綁定參數來避免注入。所以一個 - 更多正確的方式做這將是這個:

編輯:escape_string避免這一點。我完全無視它。

<?php 
    /* User login process, checks if user exists and password is correct */ 

    require_once 'includes/db.php'; 

    // Escape email to protect against SQL injections 
    $email = $mysqli->escape_string($_POST['email']); 
    $result = $mysqli->query("SELECT * FROM dxd_membership WHERE email = '{$email}'"); 
    if ($result->num_rows == 0){ // User doesn't exist 
     $_SESSION['message'] = "User with that email doesn't exist!"; 
     header("Location: error.php"); 
     exit; // Add an "exit" here, because if you add something else, it will run too (even if you asked to redirect... basically is the browser the one that chooses if it follows the redirect or not, but your script still goes on). 
    } 
    else { // User exists 
     $user = $result->fetch_assoc(); 

     // There's no point in filtering using another MySQL query, since YOU ALREADY HAVE THIS DATA. Just use PHP to read it and act appropiately. 
     // Doing another query is just WASTING resources for no useful purpose. 
     //$active = $mysqli->query("SELECT * FROM dxd_membership WHERE email = '$email' AND active = 'YES'"); 
     if ($user['active'] == 'YES') { 
      // Your processing here, you get the idea 
     } 
    } 
?>

當然,最好的選擇是使用的MySQLi聲明和使用bind_param/execute。這個例子只是遵循你使用MySQLi的風格。

來源

2017-08-08 00:29:56

1

這是很明顯的

$active = $mysqli->query("SELECT * FROM dxd_membership WHERE email = '$email' AND active = 'YES'"); 

if ($active == '1') //<-- see it 
{ 
    if (password_verify($_POST['password'], $user['password']))

試試這個

if ($active->num_rows == 1) //or != 0 This is false or a result set.

即使你沒有在那裏提交了積極的價值(你有選擇*)你是否仍正在檢查字符串'1'針對字符串'YES'

備註我在4年左右沒有使用mysqli,因爲我使用PDO。所以這可能不是整個問題,但看起來似乎是錯誤的。

事實上,第二個查詢是不需要的,因爲您已經有了您要查找的數據,因此您可以更改它。

現在,如果您確定它們處於活動狀態,則它們始終爲YES$user已包含此數據,爲何不使用此類數據並保存查詢。

$email = $mysqli->escape_string($_POST['email']); 
$result = $mysqli->query("SELECT * FROM dxd_membership WHERE email='$email'"); 
if ($result->num_rows == 0){ // User doesn't exist 
    $_SESSION['message'] = "User with that email doesn't exist!"; 
    header("location: error.php"); 
}else { // User exists 
    $user = $result->fetch_assoc(); 
    /* comment these next 2 lines out when not debugging */ 
    echo "<pre>"; //whitespace formating 
    var_export($user); 

    if ($user['active'] == 'YES'){ 
    // ..... 



    } 
}

我不得不提的一件事是你應該看準備好的陳述。你可以找到這裏

http://php.net/manual/en/mysqli.quickstart.prepared-statements.php

信息,當你在一個SQL查詢並置,你應該使用準備好的語句來代替,因爲它會打開你的SQL注入攻擊的應用程序。現在,我看起來更接近您使用escape_string,雖然這是好的,但首選的方法是準備好語句。這是因爲在準備好的語句中,變量完全獨立於查詢命令,因此DB知道不會執行任何操作。即使轉義也可能存在邊緣情況,這可能是一個問題,我不知道有什麼說法,但是像使用十六進制引號的版本是我在例子中看到的東西,或者是數據庫中奇怪的字符串將看作是一個報價。

來源

2017-08-08 00:15:44 ArtisticPhoenix

+0

'$ active'可能是'1',但這是一個查詢資源,不是嗎?我會說'if($ active-> num_rows == 1)'更準確。 –

+0

@AlejandroIván - 看到我的更新,它可能被評估爲'1',只是因爲它不是假的。 – ArtisticPhoenix

+0

所以1應該是?對不起,如果愚蠢的問題,但我新的,因爲你無疑可以告訴我這樣仍在學習 – Boxecutor

相關問題

 相關問題