[英]Problem with login i can login with any username and password
我的登录系统有问题我可以使用任何用户名和密码登录我不知道如何解决
如果有人可以提供帮助,我将不胜感激
这是我的登录系统
function userLog() {
global $connect;
if(isset($_POST['userLog'])) {
$username = trim(protect($_POST['username']));
$password = trim(protect($_POST['password']));
if(empty($username)) {
$_SESSION['message'] = '';
header('Location: index.php');
exit();
} elseif (empty($password)) {
$_SESSION['message'] = '';
header('Location: index.php');
exit();
}
$userSQL = "SELECT * FROM users WHERE username = :username";
$userLog = $connect->prepare($userSQL);
$userLog->bindValue(':username', $username);
$userLog->execute();
$userLog->fetchAll();
#PLACE FOR SELECT DATA FROM SQL TO IMPORT TO SESSION
$sql = "SELECT * FROM users";
$stm = $connect->prepare($sql);
$stm->execute();
$row = $stm->fetch();
####################################################
if($userLog) {
$_SESSION['user_id'] = $row['user_id'];#id(mysql)
$_SESSION['username'] = $row['username'];#user(mysql)
$_SESSION['email'] = $row['email'];#email(mysql)
$_SESSION['f_name'] = $row['first_name'];#fname(mysql)
$_SESSION['l_name'] = $row['last_name'];#lname(mysql)
header('Location: index.php');
exit();
} else {
}
}
}
抱歉英语不好
我无法深入创建一个类! 你需要检查课程。
我只是尽可能多地更正了您的代码,我使用了 bindParam 而不是 bindValue。
我希望你正在使用 pdo,它表明你是 :) 请把session_start();
在您的页面顶部出现其他一切。
function userLog() {
global $connect;
if(isset($_POST['userLog'])) {
$username = trim($_POST['username']);
$password = trim($_POST['password']);
if(empty($username)) {
$_SESSION['message'] = 'Enter username';
header('Location: index.php');
exit();
} elseif (empty($password)) {
$_SESSION['message'] = 'Enter password';
header('Location: index.php');
exit();
}else{
$sql = "SELECT * FROM users WHERE username = :username";
if($stmt = $connect->prepare($sql)){
$stmt->bindParam(':username', $param_username, PDO::PARAM_STR);
$param_username = $username;
if($stmt->execute()){
$row = $stmt->fetch();
if($row['username'] === 1){
$hashed_password = $row['password'];
$email = $row['email'];
$name = $row['f_name'];
$lastname = $row['l_name'];
$id = intval($row['user_id']);
if(password_verify($password, $hashed_password)){
session_regenerate_id();
$_SESSION["loggedin"] = true;
$_SESSION['user_id'] = $id;
$_SESSION['username'] = $username;
$_SESSION['email'] = $email;
$_SESSION['f_name'] = $name;
$_SESSION['l_name'] = $lastname;
header('Location: index.php');
exit();
}else{
$_SESSION['message'] = 'wrong password';
}
}else{
$_SESSION['message'] = 'wrong username';
}
}else{
$_SESSION['message'] = 'User not found';
}
}else{
$_SESSION['message'] = 'Something went wrong';
}
}
}
}
我让你重定向到你的错误页面
更新:这是一个简单的类示例,搜索创建类的正确方法。
class userLog {
/** @var object $connect Copy of PDO connection */
private $connect;
/** @var object of the logged in user */
private $user;
/** @var string error msg */
private $msg;
public function __construct($connect) {
$this->connect = $connect;
}
public function login($username,$password){
$stmt = $this->connect->prepare('SELECT * FROM users WHERE username = ? ');
$stmt->execute([$username]);
$user = $stmt->fetch();
if(password_verify($password,$user['password'])){
$this->user = $user;
session_regenerate_id();
$_SESSION['user']['user_id'] = $user['user_id'];
$_SESSION['user']['fname'] = $user['fname'];
$_SESSION['user']['lname'] = $user['lname'];
$_SESSION['user']['email'] = $user['email'];
return true;
}else{
$this->msg = 'Invalid login information';
//you can change ajax response to session error
return false;
}
}
}
usaqe : $handle = new userLog($connect);
注意这个函数需要ajax来返回响应。
在这里你没有检查任何密码,所以当然任何人都可以登录,你应该像这样修复它:
$userSQL = "SELECT * FROM users WHERE username = :usr AND password = :pwd";
$userLog = $connect->prepare($userSQL);
$userLog->bindValue(':usr', $username);
$userLog->bindValue(':pwd', $password);
$userLog->execute();
$users = $userLog->fetchAll();
if(count($users) == 0) {
// fail here, no one to login
exit();
} elseif(count($users) > 1) {
// Found more than one user, this should not happen, maybe fail.
}
如果此检查通过用户已登录,并且$users[0]
保存您的用户信息
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.