登錄系統PHP程序準備語句

-1

如何測試我的登錄系統是否有結果？如果用戶名和密碼與數據庫中的相同。登錄系統PHP程序準備語句

這是整個代碼。問題是我可以用任何東西登錄（即使它在數據庫中，或者它不是）。

<?php 
$error=''; 


ini_set('display_errors', 1); 
ini_set('display_startup_errors', 1); 
error_reporting(E_ALL); 


if (isset($_POST['submit'])) { 
if (empty($_POST['login_username']) || empty($_POST['login_password'])) { 
$error = "Username or Password is invalid"; 
} 
else 
{ 

$username=$_POST['login_username']; 
$username= strtoupper($username); 
$password=$_POST['login_password']; 

$connect = mysqli_connect("localhost", "stringdot", "Ninja123") or die(mysqli_error()) ; 
$db = mysqli_select_db($connect, "ddbase") or die(mysqli_error($connect)); 

$password = hash('sha256', $password); 

if($stmt = mysqli_prepare($connect,"SELECT * from users where password=? AND username=?")){ 
    mysqli_stmt_bind_param($stmt, "ss", $password, $username); 
    mysqli_stmt_execute($stmt); 


if (!mysqli_stmt_error($stmt)) { 
session_start(); 
$_SESSION['logged'] = true; 
$_SESSION['login_username'] = $username; // Initializing Session 
header("location: ../public.php"); // Redirecting To Profile page 
exit(); 
} else { 
$_SESSION['logged']=false; 
$error = "Username or Password is invalid </br>"; 
echo $error; 
echo "Click <a href='/index.php'>aici</a> pentru a incerca din nou"; 
} 
mysqli_close($connect); 

} 
} 
} 
?>

來源

2017-06-19 StringShot

你存儲的密碼爲純文本還是你哈希呢？ –

是的......我使用SHA256 – StringShot

請使用***的[內置函數]（http://jayblanchard.net/proper_password_hashing_with_PHP.html）***來處理密碼安全性。如果您使用的PHP版本低於5.5，則可以使用'password_hash（）'[兼容包]（https://github.com/ircmaxell/password_compat）。 ***在散列之前，不需要[escape passwords]（http://stackoverflow.com/q/36628418/1011527）***或使用其他任何清理機制。這樣做*更改密碼並導致不必要的附加編碼。 –

您可以在$語句對象上直接測試是這樣，我相信

$result = mysqli_stmt_execute($stmt); 
if($result){ 
    $rows = mysqli_stmt_num_rows($stmt); 
    echo 'rows: '.$rows; 
    /* you should be able to use $rows for a logic test */ 
    if($rows == 1){/* one exact match */} 
    else{ /* Bad foo - more than one or none */ } 
}

<?php 
    session_start(); 

    error_reporting(E_ALL); 
    ini_set('display_errors', 1); 
    ini_set('display_startup_errors', 1); 


    if($_SERVER['REQUEST_METHOD']=='POST'){ 

     $username = !empty($_POST['login_username']) ? strtoupper($_POST['login_username']) : false; 
     $password = !empty($_POST['login_password']) ? hash('sha256', $_POST['login_password']) : false; 

     if($username && $password){ 


      $dbhost = 'localhost'; 
      $dbuser = 'stringdot'; 
      $dbpwd = 'Ninja123'; 
      $dbname = 'ddbase'; 
      $db  = new mysqli($dbhost, $dbuser, $dbpwd, $dbname); 

      $sql='select * from `users` where `password`=? and `username`=?'; 
      $stmt=$db->prepare($sql); 
      if($stmt){ 

       $stmt->bind_param('ss',$password,$username); 
       $result = $stmt->execute(); 
       $rows = $result ? $stmt->num_rows : 0; 

       if($rows == 1){ 
        $_SESSION['logged'] = true; 
        $_SESSION['login_username'] = $username; 
        exit(header('Location: ../public.php')); 
       } else { 
        $_SESSION['logged'] = false; 
        echo "Username or Password is invalid <br />Click <a href='/index.php'>aici</a> pentru a incerca din nou"; 
       } 
       $stmt->close(); 
      } 
      $db->close(); 
     } else { 
      /* either one or both are invalid */ 
      echo "Error: Both username & password are required"; 
     } 
    } 
?>

來源

2017-06-19 12:10:53 RamRaider

我把整個代碼理解我想做什麼 – StringShot

我試過了......現在我試過的任何失敗 – StringShot

只需在成功設置之前嘗試清除會話變量。 –

登錄系統PHP程序準備語句

回答

相關問題