如果条件在行,则为PDO
[英]PDO if condition on row
问题描述
I am in the process of making a login system using PDO. 
我正在使用PDO制作登录系统。 What I am finding is that users are able to log in despite their info not being in the database. 我发现的是,尽管他们的信息不在数据库中,但用户仍可以登录。
My PHP code is as follows: 我的PHP代码如下:
$error = "";
if(isset($_POST["submit"])){
if(empty($_POST["youremaildesktop"]) || empty($_POST["yourpassworddesktop"]))
{$error = "Both fields are required.";}
else{
$username=$_POST['youremaildesktop'];
$password=$_POST['yourpassworddesktop'];
$username = stripslashes($username);
$password = stripslashes($password);
$password = md5($password);
/*PDO Version*/
$resulter = $dbh->prepare("
SELECT uid
FROM customer
WHERE username = '$username'
AND password = '$password'
");
$resulter->fetchColumn();
if($resulter)
{
$_SESSION['localstorage'] = $username;
header("Location: userpage.php");
}
else {
$error = "Incorrect username or password.";
}
}
}
The $dbh PHP variable corresponds to my database connection credentials. $dbh PHP变量对应于我的数据库连接凭据。 The POST values correspond to my login form on my main page. POST值对应于我主页上的登录表单。
The goal is to connect users to userpage.php only if their credentials are correct. 目的是仅在用户凭据正确的情况下将用户连接到userpage.php 。 However, I am able to log in regardless of whether the user details correspond to users in my database. 但是,无论用户详细信息是否对应于数据库中的用户,我都可以登录。
2 个解决方案
解决方案1
2 已采纳 2017-06-05 10:10:53
Here's how I would of tackled the situation myself.. 这是我本人要解决的情况。
if (isset($_POST['submit']))
{
$username = $_POST['youremaildesktop'];
$password = $_POST['yourpasswordesktop'];
if (!empty($username) && !empty($password))
{
$res = $dbh->prepare("SELECT * FROM `customer` WHERE `username` = ?");
$res->execute([$username]);
$row = $res->fetch(PDO::FETCH_ASSOC);
if ($res->rowCount() > 0)
{
if (password_verify($password, $row['password']))
{
$_SESSION['user_session'] = $row['uid'];
header('Location: vm913.php');
} else {
// echo incorrect pass
}
} else {
// echo no such user...
}
} else {
// echo something...
}
}
Edited as I missed an echo on the wrong password bit! 编辑,因为我错过了错误的密码位回显!
You'll see password_verify() rather than using md5 which really isn't recommended. 您会看到password_verify()而不是使用md5(实际上不建议这样做)。 You'll also see within my query I have bound the param. 您还将在查询中看到我已经绑定了参数。
Note : Obviously you will need to use password_hash() within the registration side of things before password_verify() will work. 注意 :显然,在password_verify()起作用之前,您需要在事物的注册方面使用password_hash() 。
Up to you at the end of the day, but it's always best practice to cover your backside. 一天结束时由您自己决定,但是遮盖背面始终是最佳实践。
I'd also, always assign the session to the userid rather than the username. 我还要始终将会话分配给用户ID而不是用户名。
As an optional extra, may be worth adding login logs and failed logs to your system also. 作为可选的额外功能,可能还值得将登录日志和失败的日志添加到您的系统中。
解决方案2
0 2017-06-05 09:56:41
I was able to fix this query by modifying my code to add the following: 我可以通过修改代码以添加以下内容来解决此查询:
$resulter->execute();
$resulted = $resulter->fetchAll();
if($resulted)
{
$_SESSION['localstorage'] = $username;
header('Location:vm913.php');
}
else { $error = "Incorrect username or password."; }
Thanks to @Options as well for pointing out vulnerabilities in the code. 还要感谢@Options指出代码中的漏洞。 I half posted this question also to see what people thought of it in terms of safety. 我还张贴了一个问题,以了解人们对安全性的看法。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.