PHP登录..有更好的方法吗？

Question

Is there a better way to do this? 有一个更好的方法吗？

Can I start a session inside a class? 我可以在课堂上开始课程吗？ and check if isset in the class ?? 并检查if isset在类中设置了if isset ??

class users {
    function login($username, $password) {
        $stmt = $db->prepare("SELECT * FROM users WHERE username=? AND password =?");
        $result = $stmt->execute(array($username, $hashedPassword));
        // count the returned rows, if you have 1 then good.
        if($result->num_rows > 0) {
            $row = $result->fetch_assoc();
            // get the data you need and store it in the session.
            $_SESSION['username'] = $row['username'];
            return TRUE;
        } else { return FALSE; }
    }
    function getForm() {
        return "<form method='post'>username <input type=text name=username>\n";
        return "password <input type=password name=password></form>;
    }
}

My objective is to do less codes here: 我的目标是在这里减少代码数量：

$user = new users();
echo $user->getLoginForm()
if(isset($_POST['username'])) {
    if($users->login($_POST['username'], crypt($_POST['password'], $salt) == TRUE) {
        //logged in
        session_start();
        //other stuff
    } else { echo "error"; }
}

I'm very new to Object-Oriented programming Thank you all in advance! 我对面向对象编程非常陌生，谢谢大家！

Answer 1

Much better approach is to hash password already on the client side, so that through network does not travel password unencoded.. 更好的方法是在客户端已经对哈希密码进行哈希处理，以便通过网络不会传输未经编码的密码。

Also if you could add a special token to be encoded with the passowrd, it should increase the security.. (The hash does not travel through network always the same) 另外，如果您可以添加特殊令牌以使用passowrd进行编码，那么它也可以提高安全性。（散列不会始终通过网络传播）

Also adding the token do the db should increase the security, so that hashes of same passwords are not the same in the db.. 另外，添加令牌确实可以提高数据库的安全性，从而使相同密码的哈希在数据库中不相同。

Also note that md5 has been already hacked, so you should use at least sha_256.. 另请注意，md5已被黑客入侵，因此您至少应使用sha_256。

The answer to your question is, yes you can start session within the function of the class.. But if you do not init it when the script starts, you do not have access to your session variables.. 您的问题的答案是，是的，您可以在类的函数中启动会话。.但是，如果在脚本启动时未将其初始化，则您无权访问会话变量。

But what you should think about more is to use some standard libraries for authentication so that it is secure.. 但是，您还应该考虑使用一些标准库进行身份验证，以确保其安全性。

Answer 2

Some things we need to sort out in your current code before we look at whats next. 在查看下一步之前，我们需要在当前代码中整理一些内容。

Note: this is just my opinion. 注意：这只是我的意见。 There are many many different ways of doing what you are trying to do. 有许多不同的方法可以做您想做的事情。 This is only one way which may or may not fit into the rest of your project. 这只是可能适合您项目其余部分的一种方式。 Also, I've not tested any of this, so there maybe bugs as Im rusty on flat mysql stuff as Ive been in frameworks for too long. 另外，我还没有测试过任何一个，所以像Ive在框架中工作了太久了，在平坦的mysql上可能存在像我一样生锈的错误。

MD5 is a bad way of encrypting. MD5是一种不好的加密方式。 Read this to give you some guidelines. 阅读此内容可为您提供一些指导。
This is just my opinion, but I would search for a valid user who has the username AND hashed password from the database. 这只是我的意见，但是我将从数据库中搜索具有用户名和哈希密码的有效用户。 At the moment, if they are the right user, you'd have to query again to get the user data. 目前，如果他们是合适的用户，则必须再次查询以获取用户数据。 Where as if you do as suggested, you'd already have everything. 仿佛您按照建议的那样做，您已经拥有了一切。
You can start a session from anywhere, but I would start it at the top of each of your 'main' files to make sure its available everywhere. 您可以从任何地方开始会话，但是我会在每个“主”文件的顶部开始会话，以确保可以在任何地方使用它。

Current 当前

class users {
    function login($username, $password) {
        $stmt = $db->prepare("SELECT password FROM users WHERE username=?");
        $stmt->execute(array($username));
        $hash = $stmt->fetch();
        if(md5($password) == $hash) {
            return TRUE;
        } else { return FALSE; }
    }
    function getForm() {
        return "<form method='post'>username <input type=text name=username>\n";
        return "password <input type=password name=password></form>;
    }
}

Suggested 建议的

<?php session_start();  // start your session from your 'main' file. ?>

class users {
    // make sure you specify scope on your methods
    public function login($username, $password) {
        $hashedPassword = crypt($password, $someSalt); // TODO: do whatever you choose here.

        $stmt = $db->prepare("SELECT * FROM users WHERE username=? AND password =?");

        $result = $stmt->execute(array($username, $hashedPassword));

        // count the returned rows, if you have 1 then good.
        if($result->num_rows > 0) {
            $row = $result->fetch_assoc();
            // get the data you need and store it in the session.
            $_SESSION['username'] = $row['username'];

            return TRUE;
        } else { return FALSE; }
    }

    // you can only return once from a method. So return the whole string.
    public function getForm() {
        return "<form method='post'>username <input type='text' name='username'>\n password <input type='password' name='password'></form>;
    }
}

Possibly helpful resources 可能有用的资源

PHP登录..有更好的方法吗？

问题描述

2 个解决方案

解决方案1
2 2016-01-21 15:58:51

解决方案2
0 2016-01-21 16:11:30

Current 当前

Suggested 建议的

PHP登录..有更好的方法吗？

问题描述

2 个解决方案

解决方案1 2 2016-01-21 15:58:51

解决方案2 0 2016-01-21 16:11:30

Current 当前

Suggested 建议的

解决方案1
2 2016-01-21 15:58:51

解决方案2
0 2016-01-21 16:11:30