登录系统密码和用户名

时间:2015-11-01 12:08:22

标签: php mysql wamp

我为我的signin.php文件编写了php代码,我的查询适用于我的用户名,但是当我输入密码变量时,它没有做任何事情。我希望用户输入用户名和密码,因为他们只需要输入到限制页面,用户名没有密码。它检查用户名是否在数据库表中,如果是,则转到受限页面。我发布了一个这样的问题,我得到了很好的答案,但我不知道在哪里提供信息,这是我的process.php:

<?php
include("db.php");

$username = $_POST['username'];
$pw = $_POST['StorePassword'];

if ( isset( $_POST['login'] ) ) {

 $query = mysqli_query($conn, "SELECT * FROM users WHERE username='".$username."' StorePassword='".$pw."' ");

 $StorePassword = password_hash($pw, PASSWORD_BCRYPT, array('cost' => 8));

if ( mysqli_num_rows($query) > 0 ) {
    while ( $row = mysqli_fetch_assoc( $query ) ) {
        if ( $row['StorePassword'] == $pw ) { 
            header("Location: home.php"); 
        } else { 
            echo "Wrong password"; 
        }
    }
} else {
    echo "User not found <br />";
}

if(empty($pw)){
    echo"Please enter your password.";
 } else{

}

}
?>
<html>
<body>
<a href="signin.php">Please try again</a>
</body>
</html>

1 个答案:

答案 0 :(得分:3)

首先,您应该使用prepared statements来保证安全。

第1步:您想检查是否输入了用户名和密码:

if ( !isset($_POST['username'], $_POST['password']) ) {
    // Could not get the data that should have been sent.
    die ('You must enter a username and password!');
}

第2步:检查数据库的用户名:

if ($stmt = $conn->prepare('SELECT password FROM users WHERE username = ?')) {
    // Bind parameters (s = string, i = int, b = blob, etc), hash the password using the PHP password_hash function.
    $username = $_POST['username']; 
    $stmt->bind_param('s', $username);
    if(!$stmt->execute()){
    trigger_error("there was an error....".$mysqli->error, E_USER_WARNING);
    } 
    $stmt->store_result(); 

第3步:检查密码是否与 ( Php manual for password_verify )匹配

if ($stmt->num_rows > 0) {
        $stmt->bind_result($password);
        $stmt->fetch();      
        // Account exists, now we verify the password.
        if (password_verify($_POST['password'], $password)) {
            // Verification success! User has loggedin!
            header("Location: home.php"); 
        } else {
            echo 'Incorrect username and/or password!';
        }
    } else {
        echo 'User doesnt exist';
    }
    $stmt->close();

一起:

<?php
session_start();
include("db.php");
if ( !isset($_POST['username'], $_POST['password']) ) {
    // Could not get the data that should have been sent.
    die ('Username and/or password not set');
}
// Prepare our SQL 
if ($stmt = $mysqli->prepare('SELECT password FROM users WHERE username = ?')) {
    // Bind parameters (s = string, i = int, b = blob, etc), hash the password using the PHP password_hash function.
    $username = $_POST['username']; 
    $username = strtolower($username);
    $stmt->bind_param('s', $username);
    if(!$stmt->execute()){
    trigger_error("there was an error....".$mysqli->error, E_USER_WARNING);
    } 
    $stmt->store_result(); 
    // Store the result so we can check if the account exists in the database.
    if ($stmt->num_rows > 0) {
        $stmt->bind_result($password);
        $stmt->fetch();      
        // Account exists, now we verify the password.
        if (password_verify($_POST['password'], $password)) {
            // Verification success! User has loggedin!

             header("Location: home.php"); 
        } else {
            echo 'Incorrect username and/or password!';
        }
    } else {
        echo 'Incorrect username blar password!';
    }
    $stmt->close();
} else {
    echo 'Could not prepare statement!';
}
?>

查看准备好的陈述http://php.net/manual/en/mysqli.quickstart.prepared-statements.php

上的php指南