1. 首页
  2. 问答
  3. PHP登录(密码)验证

PHP登录(密码)验证

2015-04-15 249 views
0

我目前正在为我的php课程开展一个项目。该项目涉及制作登录和注册表单,并使用SQL查询来验证其信息。我大部分都可以工作,但如果从数据库中键入电子邮件地址,并且您在密码字段中输入了任何内容(无论它是否正确),该页面将允许您登录。这里是编码,我有,用代码首先显示形式,命名为“的login.php”:PHP登录(密码)验证

<?php 
ini_set("display_errors","on"); 
error_reporting(E_ALL | E_STRICT); 
$labels = array("email" => "Email:", 
"password" => "Password:"); 
$submit = "Submit"; 
?> 
<!DOCTYPE HTML> 
<html> 
<head> 
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"> 
<title>Login Form</title> 
</head> 

<body> 
<h2>Login Form</h2> 
<?php 
echo "<form action='' method='POST'>"; 
foreach($labels as $field => $label) 
{ 
    if($field != "password") 
    { 
     echo("<div class='field'><label for='$field'>$label</label> 
      <input type='text' name='$field' id='$field' value='"[email protected]$$field."'></div>\n"); 
    } 
    else 
    { 
     echo("<div class='field'><label for='$field'>$label</label> 
      <input type='password' name='$field' id='$field' value='"[email protected]$$field."'></div>\n"); 
    } 
} 
echo"<div class='field'><input type='hidden' name='submitted' value='yes'> 
    <input type='submit' name='submit' value='$submit'></div>"; 
?> 
</body> 
</html>

下面的代码验证:

<?php 
ini_set("display_errors","on"); 
error_reporting(E_ALL | E_STRICT); 
include("dbinfo2.inc"); 
?> 
<!DOCTYPE HTML> 
<html> 
<head> 
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"> 
<title>Untitled Document</title> 
<link href="css/styles.css" rel="stylesheet" type="text/css" /> 
</head> 

<body> 
<?php 
if(isset($_POST['submitted']) and $_POST['submitted'] == "yes") 
{ 
    foreach($_POST as $field => $value) 
    { 
     if(empty($value) or !empty($value)) 
     { 
      $email_patt = "/^[email protected]+\\..+$/"; 
      if(preg_match("/email/i",$field)) 
      { 
       if(!preg_match($email_patt,$value)) 
       { 
        $error_array[] = $field; 
       } 
      } 
      if(preg_match("/password/i",$field)) 
      { 
       if(empty($value)) 
       { 
        $error_array[] = $field; 
       } 
      } 
      $good_data[$field] = strip_tags(trim($value)); 
     } 
    } 
    if(@sizeof($error_array) > 0) 
    { 
     $message = "<p class='error'>Your login information is incorrect.</p>"; 
     echo $message; 
     extract($good_data); 
     include("login.php"); 
     exit(); 
    } 
    else 
    { 
     $cxn = mysqli_connect($host,$user,$passwd,$dbname) or die("Couldn't connect to server."); 
     foreach($good_data as $field => $value) 
     { 
      $clean_data[$field] = mysqli_real_escape_string($cxn,$value); 
     } 
     $sql = "select * from customerdata where email='$good_data[email]' and password='$good_data[password]'"; 
     $result = mysqli_query($cxn,$sql) or die("<p class='error'>Login information is invalid.</p>"); 
     include("success.php"); 
    } 
} 
else 
{ 
    include("login.php"); 
} 
?> 
</body> 
</html>

什么我需要改变使这个功能正确?

来源

2015-04-15 Jordan U.

+1

您不应该遍历POST值,为输入使用一个合适的名称,只需根据数据库检查该值,就会使其复杂化。对于生产站点,您绝不会这样做,您不会存储密码,您可以存储盐渍散列。 – adeneo

回答

1

您的成功/失败条件不应该是mysqli_query调用的结果。这只会表明查询是否成功执行。 (http://php.net/manual/en/mysqli.query.php

您登录始终成功,因为您的查询在语法上是有效的并且运行时没有错误。

您需要检查返回的行数以确认其中只有一行。

来源

2015-04-15 20:32:36 cmason

相关问题

 相关问题