[英]Login system password and username
我為signin.php文件編寫了php代碼,查詢對我的用戶名有效,但是當我輸入password變量時,它什么也沒做。 我希望用戶輸入用戶名和密碼,因為他們只需要輸入用戶名和密碼即可進入受限頁面。 它檢查用戶名是否在數據庫表中,如果存在,它將進入受限頁面。 我發布了這樣的問題,我得到了很好的答案,但是我不知道將信息放在哪里,這是我的process.php:
<?php
include("db.php");
$username = $_POST['username'];
$pw = $_POST['StorePassword'];
if ( isset( $_POST['login'] ) ) {
$query = mysqli_query($conn, "SELECT * FROM users WHERE username='".$username."' StorePassword='".$pw."' ");
$StorePassword = password_hash($pw, PASSWORD_BCRYPT, array('cost' => 8));
if ( mysqli_num_rows($query) > 0 ) {
while ( $row = mysqli_fetch_assoc( $query ) ) {
if ( $row['StorePassword'] == $pw ) {
header("Location: home.php");
} else {
echo "Wrong password";
}
}
} else {
echo "User not found <br />";
}
if(empty($pw)){
echo"Please enter your password.";
} else{
}
}
?>
<html>
<body>
<a href="signin.php">Please try again</a>
</body>
</html>
首先,您應該使用准備好的語句來保證安全性。
步驟1:您要檢查是否已輸入用戶名和密碼:
if ( !isset($_POST['username'], $_POST['password']) ) {
// Could not get the data that should have been sent.
die ('You must enter a username and password!');
}
步驟2:根據您的數據庫檢查用戶名:
if ($stmt = $conn->prepare('SELECT password FROM users WHERE username = ?')) {
// Bind parameters (s = string, i = int, b = blob, etc), hash the password using the PHP password_hash function.
$username = $_POST['username'];
$stmt->bind_param('s', $username);
if(!$stmt->execute()){
trigger_error("there was an error....".$mysqli->error, E_USER_WARNING);
}
$stmt->store_result();
第3步:檢查密碼是否匹配(PHP手冊中的password_verify) :
if ($stmt->num_rows > 0) {
$stmt->bind_result($password);
$stmt->fetch();
// Account exists, now we verify the password.
if (password_verify($_POST['password'], $password)) {
// Verification success! User has loggedin!
header("Location: home.php");
} else {
echo 'Incorrect username and/or password!';
}
} else {
echo 'User doesnt exist';
}
$stmt->close();
全部一起:
<?php
session_start();
include("db.php");
if ( !isset($_POST['username'], $_POST['password']) ) {
// Could not get the data that should have been sent.
die ('Username and/or password not set');
}
// Prepare our SQL
if ($stmt = $mysqli->prepare('SELECT password FROM users WHERE username = ?')) {
// Bind parameters (s = string, i = int, b = blob, etc), hash the password using the PHP password_hash function.
$username = $_POST['username'];
$username = strtolower($username);
$stmt->bind_param('s', $username);
if(!$stmt->execute()){
trigger_error("there was an error....".$mysqli->error, E_USER_WARNING);
}
$stmt->store_result();
// Store the result so we can check if the account exists in the database.
if ($stmt->num_rows > 0) {
$stmt->bind_result($password);
$stmt->fetch();
// Account exists, now we verify the password.
if (password_verify($_POST['password'], $password)) {
// Verification success! User has loggedin!
header("Location: home.php");
} else {
echo 'Incorrect username and/or password!';
}
} else {
echo 'Incorrect username blar password!';
}
$stmt->close();
} else {
echo 'Could not prepare statement!';
}
?>
查看有關准備好的語句的PHP指南http://php.net/manual/en/mysqli.quickstart.prepared-statements.php
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.