dpi9530 2013-12-16 22:13
浏览 46

PHP登录保持返回无效用户

I'm pretty sure I have this coded correctly, but I'm not entirely sure. This is for a simple login form, and I keep getting "Invalid User" returned whenever I try to login.

I'm checking MySQL database, and the entry is there. Here is my code in log.php:

<?php
session_name("MyLogin");
session_start();

if($_GET['action'] == "login") {
    $conn = mysql_connect("host","username","password"); // your       MySQL connection data
    $db = mysql_select_db("database"); //put your database name in here 
    $name = $_POST['user'];
    $q_user = mysql_query("SELECT * FROM USERS WHERE login='$name'");

    if(mysql_num_rows($q_user) == 1) {

        $query = mysql_query("                                      SELECT * FROM USERS WHERE       login='$name'");
        $data = mysql_fetch_array($query);
        if($_POST['pwd'] == $data['password']) { 
            session_register("name");
            header("Location: index.html"); // success page. put the URL you want 
            exit;
        } else {
            header("Location: login.php?login=failed&cause=".urlencode('Wrong Password'));
            exit;
        }
    } else {
        header("Location: login.php?login=failed&cause=".urlencode('Invalid User'));
        exit;
    }
}

// if the session is not registered
if(session_is_registered("name") == false) {
    header("Location: login.php");
}
?>
  • 写回答

1条回答 默认 最新

  • dongliao2241 2013-12-16 22:34
    关注

    There are several issues with your implementation:

    1. You're still using mysql_ functions; those are deprecated in favour of either PDO or mysqli.

    2. Because of #1 you're not using prepared statements either.

    3. Because of #2 and the fact that you're not properly escaping your variables in SQL your code is vulnerable against SQL injection attacks.

    4. You're storing passwords in plain text. You should use password hashing; if you're not using 5.5, you can use password_compat instead.

    5. The use of session_register() is deprecated; you should use the superglobal $_SESSION instead.

    Here's an example you could use to accomplish the same thing:

    $action = filter_input(INPUT_GET, 'action', FILTER_UNSAFE_RAW);

if ($action == 'login') {
    $user = filter_input(INPUT_POST, 'user', FILTER_UNSAFE_RAW);
    $password = filter_input(INPUT_POST, 'password', FILTER_UNSAFE_RAW);

    $dbh = new PDO('mysql:host=host;dbname=database;charset=utf8', 'username', 'password', [
        PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
    ]);

    $stmt = $dbh->prepare('SELECT * FROM `users` WHERE `login` = ?');
    $stmt->execute([$user]);

    if (($row = $stmt->fetch(PDO::FETCH_ASSOC)) !== false && password_verify($password, $row['password'])) {
        $_SESSION['user'] = $row;
        header("Location: index.html"); // success page. put the URL you want 
    } else {
        header("Location: login.php?login=failed&cause=".urlencode('Invalid User or password'));
    }
    exit;
}

if (!isset($_SESSION['user'])) {
    header("Location: login.php");
}
    评论

报告相同问题?

悬赏问题

  • ¥15 有了解d3和topogram.js库的吗?有偿请教
  • ¥100 任意维数的K均值聚类
  • ¥15 stamps做sbas-insar,时序沉降图怎么画
  • ¥15 unity第一人称射击小游戏,有demo,在原脚本的基础上进行修改以达到要求
  • ¥15 买了个传感器,根据商家发的代码和步骤使用但是代码报错了不会改,有没有人可以看看
  • ¥15 关于#Java#的问题,如何解决?
  • ¥15 加热介质是液体,换热器壳侧导热系数和总的导热系数怎么算
  • ¥100 嵌入式系统基于PIC16F882和热敏电阻的数字温度计
  • ¥15 cmd cl 0x000007b
  • ¥20 BAPI_PR_CHANGE how to add account assignment information for service line