没有正确密码登录...如何解决?
[英]Login Without Correct Password…How Do I Fix?
问题描述
I am building a Login page for my website. 
我正在为我的网站建立一个登录页面。 I have used Dreamweaver to create the login code. 我已经使用Dreamweaver创建登录代码。 I don't know a lot about php, but when I login using an incorrect password (but correct username) it allows me into a restricted part of the site. 我对php不太了解, 但是当我使用错误的密码(但用户名正确)登录时 , 它使我进入了网站的受限部分。
For example: suppose the correct username is test and the correct username is test123. 例如:假设正确的用户名是test,正确的用户名是test123。 When a user types in "test" for the username and types in any letter (though if you type in a number it doesn't let you through) for the password it logs them in and allows them through. 当用户输入“ test”作为用户名并输入任何字母(尽管您输入数字时,它不允许您输入)作为密码时,它将登录并允许他们通过。 This would be bad... 不好
Is there a way to make sure the site checks that both the password and username are correct? 有没有一种方式,以确保现场检查, 无论是用户名和密码是否正确?
I don't know hardly anything about php. 我对php几乎一无所知。 So any help would be greatly appreciated. 因此,任何帮助将不胜感激。
Here is my login code: 这是我的登录代码:
<?php
require_once('Connections/--------_userdatabase.php');
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = ""){
if (PHP_VERSION < 6) {
$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
}
$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);
switch ($theType) {
case "text":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "long":
case "int":
$theValue = ($theValue != "") ? intval($theValue) : "NULL";
break;
case "double":
$theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
break;
case "date":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "defined":
$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
break;
}
return $theValue;
}
// *** Validate request to login to this site.
if (!isset($_SESSION)) {
session_start();
}
$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
$_SESSION['PrevUrl'] = $_GET['accesscheck'];
}
if (isset($_POST['username'])) {
$loginUsername=$_POST['username'];
$password=$_POST['password'];
$MM_fldUserAuthorization = "";
$MM_redirectLoginSuccess = "http://www.-----------.org";
$MM_redirectLoginFailed = "http://www.-----------.org/login.php";
$MM_redirecttoReferrer = false;
mysql_select_db($database_-------_userdatabase, $--------_userdatabase);
$LoginRS__query=sprintf("SELECT Username, Password FROM userdatabase WHERE Username=%s AND Password=%s",
GetSQLValueString($loginUsername, "int"), GetSQLValueString($password, "int"));
$LoginRS = mysql_query($LoginRS__query, $--------_userdatabase) or die(mysql_error());
$loginFoundUser = mysql_num_rows($LoginRS);
if ($loginFoundUser) {
$loginStrGroup = "";
if (PHP_VERSION >= 5.1) {
session_regenerate_id(true);
} else {
session_regenerate_id();
}
//declare two session variables and assign them
$_SESSION['MM_Username'] = $loginUsername;
$_SESSION['MM_UserGroup'] = $loginStrGroup;
if (isset($_SESSION['PrevUrl']) && false) {
$MM_redirectLoginSuccess = $_SESSION['PrevUrl'];
}
if ($loginUsername === 'Admin') {
header("Location: http://www.------------.org/user/-------/");
} else if ($loginUsername === 'User') {
header("Location: http://www.------------.org/user/-------/");
} else if ($loginUsername === 'User2') {
header("Location: http://www.-----------.org/user/--------/");
} else {
header("Location: " . $MM_redirectLoginSuccess );
}
} else {
header("Location: ". $MM_redirectLoginFailed );
}
}
?>
2 个解决方案
解决方案1
1 2012-02-13 21:25:27
You must add die(); 您必须添加die(); after a header() redirect, as header() only sends a header to the browser, without really knowing what it means. 在header()重定向之后,因为header() 仅将标题发送到浏览器,而实际上并不知道它的含义。 It then continues to serve the content as usual, if you don't have die() after it. 然后,如果您之后没有die() ,它将继续照常提供内容。
Partial example 部分例子
<?php
if ($loginFoundUser) {
// Put the cut out code back in
if (isset($_SESSION['PrevUrl']) && false) {
$MM_redirectLoginSuccess = $_SESSION['PrevUrl'];
}
if ($loginUsername === 'Admin') {
header("Location: http://www.------------.org/user/-------/");
die;
} else if ($loginUsername === 'User') {
header("Location: http://www.------------.org/user/-------/");
die;
} else if ($loginUsername === 'User2') {
header("Location: http://www.-----------.org/user/--------/");
die;
} else {
header("Location: " . $MM_redirectLoginSuccess );
die;
}
} else {
header("Location: ". $MM_redirectLoginFailed );
die;
}
?>
Also, it appears you're converting the values to INT before checking the values in the database, which should not be done (considering a valid $loginUsername is 'Admin'). 同样,您似乎正在将这些值转换为INT,然后再检查数据库中的值,而不应该这样做(考虑到有效的$loginUsername为'Admin')。 This can be changed with the following code: 可以使用以下代码进行更改:
GetSQLValueString($loginUsername, "string"), GetSQLValueString($password, "string"));
解决方案2
0 2012-02-13 21:17:34
Is the following link the restricted area? 以下链接是禁区吗?
http://www.------------.org/user/-------/ http://www.------------.org/user/-------/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.