1. 首页
  2. 问答
  3. 如何禁用用户帐户php/mysql

如何禁用用户帐户php/mysql

2017-08-08 55 views
0

我想拥有可以启用或禁用的用户帐户。如何禁用用户帐户php/mysql

我在我的表中设置为yes或no的活动字段。

这是我的登录页面的代码。

<?php 
/* User login process, checks if user exists and password is correct */ 

require_once 'includes/db.php'; 

// Escape email to protect against SQL injections 
$email = $mysqli->escape_string($_POST['email']); 
$result = $mysqli->query("SELECT * FROM dxd_membership WHERE email='$email'"); 
if ($result->num_rows == 0){ // User doesn't exist 
$_SESSION['message'] = "User with that email doesn't exist!"; 
header("location: error.php"); 
} 
else { // User exists 
    $user = $result->fetch_assoc(); 
$active = $mysqli->query("SELECT * FROM dxd_membership WHERE email = '$email' AND active = 'YES'"); 

if ($active == '1') 
{ 
    if (password_verify($_POST['password'], $user['password'])) { 
     $userid = $_SESSION['userid']; 
     $_SESSION['email'] = $user['email']; 
     $_SESSION['firstname'] = $user['firstname']; 
     $_SESSION['lastname'] = $user['lastname']; 
     $_SESSION['username'] = $user['username']; 
     $_SESSION['paynum'] = $user['paynum']; 
     $_SESSION['empnum'] = $user['empnum']; 
     $_SESSION['phone'] = $user['phone']; 
     $_SESSION['active'] = $user['active']; 
     $_SESSION['lastlogin'] = $user['lastlogin']; 
     $_SESSION['signup'] = $user['signup']; 
     $_SESSION['lastupdate'] = $user['lastupdate']; 

     // This is how we'll know the user is logged in 
     $_SESSION['logged_in'] = true; 

     $update = $mysqli->query("UPDATE dxd_membership SET lastlogin=NOW() WHERE email = '$email'"); 

     header("location: welcome.php"); 
    } 

    else { 
     $_SESSION['message'] = "You have entered wrong password please try again!"; 
     header("location: error.php"); 
    } 
} 

else { 
    header("location: disabled.php"); 
} 
} 
?>

我相信这是一个愚蠢的错误,我这里有,但它不会检查活动字段,然后要么让用户登录到页面的welcome.php如果活跃是肯定的或发送给残疾人。如果他们的帐户活动被设置为no(禁用),则为php页面。

任何人都可以帮助我纠正代码,使其工作。

感谢

来源

2017-08-08 Boxecutor

+1

为什么'$ active =='1'',如果你得到一个回报,你知道活动是1. – chris85

回答

1

看,我看到你的代码中的几个问题。首先是对相同数据的双重查询。你可以简化这整个事情到一个查询。

另一个(也是更重要的)事实是,您只是将数据附加到SQL查询中,MySQLi的整个目标是通过绑定参数来避免注入。所以一个 - 更多正确的方式做这将是这个:

编辑:escape_string避免这一点。我完全无视它。

<?php 
    /* User login process, checks if user exists and password is correct */ 

    require_once 'includes/db.php'; 

    // Escape email to protect against SQL injections 
    $email = $mysqli->escape_string($_POST['email']); 
    $result = $mysqli->query("SELECT * FROM dxd_membership WHERE email = '{$email}'"); 
    if ($result->num_rows == 0){ // User doesn't exist 
     $_SESSION['message'] = "User with that email doesn't exist!"; 
     header("Location: error.php"); 
     exit; // Add an "exit" here, because if you add something else, it will run too (even if you asked to redirect... basically is the browser the one that chooses if it follows the redirect or not, but your script still goes on). 
    } 
    else { // User exists 
     $user = $result->fetch_assoc(); 

     // There's no point in filtering using another MySQL query, since YOU ALREADY HAVE THIS DATA. Just use PHP to read it and act appropiately. 
     // Doing another query is just WASTING resources for no useful purpose. 
     //$active = $mysqli->query("SELECT * FROM dxd_membership WHERE email = '$email' AND active = 'YES'"); 
     if ($user['active'] == 'YES') { 
      // Your processing here, you get the idea 
     } 
    } 
?>

当然,最好的选择是使用的MySQLi声明和使用bind_param/execute。这个例子只是遵循你使用MySQLi的风格。

来源

2017-08-08 00:29:56

1

这是很明显的

$active = $mysqli->query("SELECT * FROM dxd_membership WHERE email = '$email' AND active = 'YES'"); 

if ($active == '1') //<-- see it 
{ 
    if (password_verify($_POST['password'], $user['password']))

试试这个

if ($active->num_rows == 1) //or != 0 This is false or a result set.

即使你没有在那里提交了积极的价值(你有选择*)你是否仍正在检查字符串'1'针对字符串'YES'

备注我在4年左右没有使用mysqli,因为我使用PDO。所以这可能不是整个问题,但看起来似乎是错误的。

事实上,第二个查询是不需要的,因为您已经有了您要查找的数据,因此您可以更改它。

现在,如果您确定它们处于活动状态,则它们始终为YES$user已包含此数据,为何不使用此类数据并保存查询。

$email = $mysqli->escape_string($_POST['email']); 
$result = $mysqli->query("SELECT * FROM dxd_membership WHERE email='$email'"); 
if ($result->num_rows == 0){ // User doesn't exist 
    $_SESSION['message'] = "User with that email doesn't exist!"; 
    header("location: error.php"); 
}else { // User exists 
    $user = $result->fetch_assoc(); 
    /* comment these next 2 lines out when not debugging */ 
    echo "<pre>"; //whitespace formating 
    var_export($user); 

    if ($user['active'] == 'YES'){ 
    // ..... 



    } 
}

我不得不提的一件事是你应该看准备好的陈述。你可以找到这里

http://php.net/manual/en/mysqli.quickstart.prepared-statements.php

信息,当你在一个SQL查询并置,你应该使用准备好的语句来代替,因为它会打开你的SQL注入攻击的应用程序。现在,我看起来更接近您使用escape_string,虽然这是好的,但首选的方法是准备好语句。这是因为在准备好的语句中,变量完全独立于查询命令,因此DB知道不会执行任何操作。即使转义也可能存在边缘情况,这可能是一个问题,我不知道有什么说法,但是像使用十六进制引号的版本是我在例子中看到的东西,或者是数据库中奇怪的字符串将看作是一个报价。

来源

2017-08-08 00:15:44 ArtisticPhoenix

+0

'$ active'可能是'1',但这是一个查询资源,不是吗?我会说'if($ active-> num_rows == 1)'更准确。 –

+0

@AlejandroIván - 看到我的更新,它可能被评估为'1',只是因为它不是假的。 – ArtisticPhoenix

+0

所以1应该是?对不起,如果愚蠢的问题,但我新的,因为你无疑可以告诉我这样仍在学习 – Boxecutor

相关问题

 相关问题