为什么这个表达式评估为真?

时间:2014-08-06 14:19:42

标签: php mysql

我正在制作php登录功能,我遇到了一个问题。在脚本的一部分中,我正在测试是否所有信息都以html格式插入,并通过$ _POST变量提供给脚本。在一个部分中,脚本正确评估是仅输入用户名还是仅输入密码,并正确评估密码是否错误但是当我输入正确的用户/密码时,它会激活错误"未输入用户名和密码&#34 ;。我无法弄明白。 FLASE&& amp; FALSE等于TRUE?

---编辑---- 好的,我现在看到我应该在这个问题中包含所有相关文件。所以这里是:

的index.php 

<?php
session_start();
if (isset($_SESSION['login_message'])) {
    $message = $_SESSION['login_message'];
    unset($_SESSION['login_message']);
}
?>

<html>

<head>
<?php
require_once("include/head.php");
?>
</head>

<body>

<form action="auth/login.php" method="post">

<table>

<tr>

<td>
<img src="graphics/znak_hrz.png" alt="Znak HRZ" style="height: 200px; padding: 10px;">
</td>

<td>
    <table style="padding: 10px;">
            <tr>
                <td><?php if (isset($message)) {echo "<td>" . $message . "</td>";}?></td>
            </tr>

            <tr>
               <td>
               <label for="username">Username:</label>
               <input id="username" type="text" name="username" />
             </td>
            </tr>

            <tr>
              <td>
              <label for="password">Password:</label>
              <input id="password" type="password" name="password" />
              </td>
            </tr>

    <tr>
            <td style="text-align: center;">
            <input type="submit" name="login" value="Login" />
            </td>
    </tr>

    </table>
</td>

<td>
<img src="graphics/znak_eskadrile.png" alt="Znak eskadrile" style="height: 200px; padding: 10px;">
</td>

</tr>

</table>

</form>

</body>

</html>

的login.php 

<?php
session_start();

// This script will deny access if following conditions are met in that order:
// - Username not entered
// - Password not entered
// - Username and password not entered
// - User doesn't exist in the database
// - User is deactivated in the database
// - The password is wrong
// Upon successful login, it will redirect user to secure/index.php and
// upon unsuccessful login it will return him to index.php for another try.

// If username is not set, set an error message
if (empty($_POST['username']) && !empty($_POST['password'])) {
    $_SESSION['login_message'] = "Username missing";
}

// If password is not set, set an error message
if (empty($_POST['password']) && !empty($_POST['username'])) {
    $_SESSION['login_message'] = "Password missing.";
}

//If username AND password are not set, set an error message
if (empty($_POST['username']) && empty($_POST['password'])) {
    $_SESSION['login_message'] = "Username and password empty.";
}

// Check if the username exists in the database and if the password is correct
if (!isset($_SESSION['login_message']) && !empty($_POST['username']) && !empty($_POST['password'])) {

    require_once("database.php");

    // Sanitize incoming username and password
    $username = filter_var($_POST['username'], FILTER_SANITIZE_STRING);
    $password = filter_var($_POST['password'], FILTER_SANITIZE_STRING);

    // Determine whether an account exists matching this username and password
    $stmt = $auth_db->prepare("SELECT uid, pid, password, access_category, last_log, active FROM " . TBL_USERS . " WHERE username = ?");

    // Bind the input parameters to the prepared statement
    $stmt->bind_param('s', $username);

    // Execute the query
    $stmt->execute();

    // Assign results of query to temporary variables
    $stmt->bind_result($uid, $pid, $db_password, $access_category, $last_log, $active);
    $stmt->fetch();

        // If user doesn't exist in the database, deny login
        if (!isset($uid)) {
            $_SESSION['login_message'] = "User doesn't exist.";
        }

        // If user is deactivated, deny login
        if (isset($uid) && !$active) {
            $_SESSION['login_message'] = "User is deactivated.";
        }

        // If the password is wrong, deny login
        if (isset($uid) && $active && $db_password != md5($password)) {
            $_SESSION['login_message'] = "Wrong password.";
        }

        if (!isset($_SESSION['login_message'])) {

        // Close previous statement
        $stmt->close();

        // Update the account's last_login column
        $stmt = $auth_db->prepare("UPDATE " . TBL_USERS . " SET last_log = NOW() WHERE username = ?");
        var_dump($stmt);
        $stmt->bind_param('s', $username);
        $stmt->execute();

        // Set session variable
        $_SESSION['username'] = $username;
        $_SESSION['uid'] = $uid;
                $_SESSION['pid'] = $pid;
        $_SESSION['last_log'] = $last_log;
                $_SESSION['active'] = $active;
        $_SESSION['access_category'] = $access_category;
        }
}

if (!isset($_SESSION['login_message'])) {
    header('Location: ../secure/index.php');
} else if (isset($_SESSION['login_message'])) {
    header('Location: ../index.php');
}
?>

安全/ index.php的

<?php
    session_start();
    require_once("../auth/login.php");
?>

<html>

<head>
<?php
#if($_SESSION['access_category'] == '0') {
#   header('Location: eth93sl/');
#}
?>
</head>

<body>
<?php
    echo "uid:" . $_SESSION['uid'] . "<BR>";
    echo "username: " . $_SESSION['username'] . "<BR>";
    echo "active: " . $_SESSION['active'] . "<BR>";
    echo "last_log: " . $_SESSION['last_log'] . "<BR>";
    echo "access_category: " . $_SESSION['access_category'] . "<BR>";
?>
</body>

</html>

1 个答案:

答案 0 :(得分:0)

问题是login.php脚本执行了两次,因为secure / index.php中的第三行是我正在尝试的另一个登录系统的剩余行。第二次调用脚本时,它没有$ _POST数据,因此没有用户名和密码,因此适当的条件被激活。

提醒我,当我遇到问题时,将视图扩展到其他文件总是好的。

相关问题
最新问题