用户存在时登录错误

Question

我对我的登录脚本有疑问。

我使用php创建了一个登录脚本，如下所示：

<?php 

include 'headermet.php';
include 'database.php';

session_start();

if( isset($_SESSION['user_id']) ){
    header("Location: /");
}

if(!empty($_POST['username']) && !empty($_POST['password'])):

    $records = $conn->prepare('SELECT id,username,password FROM users WHERE username = :username');
    $records->bindParam(':username', $_POST['username']);
    $records->execute();
    $results = $records->fetch(PDO::FETCH_ASSOC);

    $message = '';

    if(count($results) > 0 && password_verify($_POST['password'], $results['password']) ){

        $_SESSION['user_id'] = $results['id'];

        header("Location: /");

    } else {
        $message = 'ERROR while trying to login';
    }

endif;

?>

<body>

    <h1 style = "margin-top:100px;">LOGIN</h1>
        <?php if(!empty($message)): ?>
        <p><?= $message ?></p>
    <?php endif; ?>

    <form action="login.php"= method="POST">

        <input type="text" placeholder="Gebruikersnaam" name="username">
        <input type="password" placeholder="Wachtwoord" name="password">
        <input type="submit">

    </form>
</body>

<?php include 'footer.php';?>

在代码中，如果凭据不正确，我会添加错误消息。消息是$message = 'ERROR while trying to login'; 使用sequelpro我添加了一个测试用户，其用户名为：test，密码为：test Does .Value = .Value act similar to Evaluate() function in VBA?

当我填写表格时：test：test我得到这个：

Answer 1

password_verify对我来说是新的。另一种方法是，如果数据库中存在匹配项，则可以假定在返回行时登录成功。因此：

首先将密码传递到SELECT以检查

$records = $conn->prepare('SELECT id,username,password FROM users WHERE username = :username AND password = :password');

请记住也要绑定密码

$records->bindParam(':password ', $_POST['password']); //Rather encrypt password

优良作法是在注册时加密密码，然后再次通过登录加密输入的密码和数据库中的匹配。

然后检查是否返回了一行

   $count = $records->rowCount(); // This will return the number of rows

    if($count > 0) //This will cause issue if more than one row is returned but illustrates the point.
    {
       $_SESSION['user_id'] = $results['id'];
       header("Location: /");
    }

Answer 2

首先你的登录脚本不安全你需要学习如何使用md5或其他人来保存你的密码..我首先使用它并按照d步骤

＆＃13;

＆＃13;

<?php
if (isset($_POST['save'])){
session_start();
if(isset($_SESSION['SESS_MEMBER_ID']) && $_SESSION['SESS_MEMBER_ID']!=''){header("Location:home.php");}
$dbh=new PDO('mysql:dbname=dbname;hostdbhost', 'dbusername', 'dbpassword');/*Change The Credentials to connect to database.*/
$username=$_POST['username'];
 $password =(md5($_POST['pass']));  /*Encrpt your password with md5.*/
if(isset($_POST) && $username!='' && $password!=''){
 $sql=$dbh->prepare("SELECT id,password,username FROM tablename WHERE username=?");
 $sql->execute(array($username));
 while($r=$sql->fetch()){
  $p=$r['password'];
  $u=$r['username'];
 }

 if($p==$password){
            $_SESSION['SESS_MEMBER_ID']=$id;
            $_SESSION['SESS_USERNAME'] = $u;

  header("Location:home");
 }else{
  header("Location: login.php?error=1");
 } }
}

?>


 <form  method="post" enctype="multipart/form-data">
						<div>
							<span>Username<label>*</label></span>
						
				<input type="text" name="username" required> 
						</div>
						<div>
							<span>Password<label>*</label></span>
							<input type="password" name="pass" required>
						</div>
						
						<input type="submit" name="save" value="Login">
					</form>

＆＃13;

＆＃13;

＆＃13;