1. 首頁
  2. 問答
  3. PHP登錄系統

PHP登錄系統

2016-11-24 194 views
-9

我正在爲我的網站創建一個登錄系統,但我沒有得到太多的運氣。我散列了這樣的密碼$pw = password_hash($pw, PASSWORD_BCRYPT, array('cost' => 14));,我被告知必須使用password_verify檢查登錄表上的密碼,然後再次檢查,但我不明白我必須做什麼。有人可以請一步一步解釋我必須做什麼嗎?PHP登錄系統

GLOBAL $username; 
GLOBAL $pw; 

if (empty($_POST["username"])) { 
       echo"fill in username to sign in"; 
       } else { 

       if (empty($_POST["pw"])) { 
       echo"fill in password to sign in"; 
       } else { 

//check if form is submitted 
if (isset($_POST['signin'])) { 

$username = mysqli_real_escape_string($conn, $_POST['username']); 
$pw = mysqli_real_escape_string($conn, $_POST['pw']); 

$valid = password_validate($password, $hash); 

$sql = mysqli_query($conn, "SELECT * FROM users WHERE username = '" . $username. "' and pw = '" . $pw. "'"); 

if ($row = mysqli_fetch_array($sql)) { 

     // if insert checked as successful echo username and password saved successfully 
     echo "successfully logged in"; 

} else { 
    $errormsg = "Incorrect username or Password!!!"; 
} 
} 
} 
}

來源

2016-11-24 mrpunani

+0

功能是'password_verify()','不password_validate()'。另外,你從哪裏得到'$ hash'?你將變量定義爲'$ pw',但試圖用它作爲'$ password'。 – Qirel

+0

你不會選擇'WHERE' PW是你的哈希.. password_hash每次都會創建一個新的鹽。不,您從數據庫中檢索散列並根據原始密碼輸入進行測試。 –

+0

轉義用戶名和密碼會導致更改用戶輸入的值。使用準備的參數化查詢 – RiggsFolly

回答

1

你的第一次嘗試確實沒有多少權利。

這裏是建議的過程你跟着

<?php  
    //check if form is submitted 
    if ($_SERVER['REQUEST_METHOD'] != 'POST' || 
     ! isset($_POST['signin'])) 
    { 
     // looks like a hack, send to index.php 
     header('Location: index.php'); 
     exit; 
    } 

    if (empty($_POST["username"])) { 
     echo 'fill in username to sign in'; 
    } 
    if (empty($_POST["pw"])) { 
     echo 'fill in password to sign in'; 
    } 

    // dangerous and unnecessary 
    // why would you risk changing the users username and password 

    //$username = mysqli_real_escape_string($conn, $_POST['username']); 
    //$pw = mysqli_real_escape_string($conn, $_POST['pw']); 

    // function does not exist 
    //$valid = password_validate($password, $hash); 


    // dangerous (SQL Injection) 
    // Wont work as you are using pw in the criteria and you dont know what pw is as it is a hash 
    //$sql = mysqli_query($conn, "SELECT * FROM users WHERE username = '" . $username. "' and pw = '" . $pw. "'"); 

    // you must select the password using only the username 
    // as the selection criteria 
    // also as the username was passed from the page its potentially 
    // dangerous so use a parameterized query 
    $sql = "SELECT pw FROM user WHERE username = ?"; 

    $stmt = mysqli_prepare($sql); 
    if (!$stmt) { 
     echo mysqli_error($conn); 
     exit; 
    } 

    $stmt->bind_param('s', $_POST['pw']); 
    $stmt->execute(); 

    if (!$stmt) { 
     echo mysqli_error($conn); 
     exit; 
    } 
    // we found a row with that username, 
    // now we need to check the password is correct 

    // get the password from the row 
    $stmt->bind_result($hashed_pwd); 
    $stmt->fetch(); 

    if (password_verify($_POST['pw'], $hashed_pwd)) { 
     // password verified 
     echo 'Login is valid'; 
    } else { 
     echo 'Incorrect username or Password!!!'; 
    } 
} 
?>

來源

2016-11-24 19:30:02 RiggsFolly

+0

你好。我還有一個問題。 ($ _SERVER ['REQUEST_METHOD']!='POST'|| !isset($ _ POST ['signin'])) { // //看起來像一個黑客,發送到index.php header('Location:index.php'); 退出; }' – mrpunani

+0

在我的home.php,profile.php等頁面上,用戶自動進入index.php。我該如何解決 ? – mrpunani

相關問題

 相關問題