Question

我有使用MVC模式的登录系统，虽然它仍然是程序性的，并且已经有4个小时而且无法正常工作。它不断执行最后一个'else'语句，该语句重定向回login.php。这是我的代码

登录页面

<?php include 'view/template/header.php' ?>

<div class="container">
    <div class="row">
        <div class="col-lg-6 col-lg-offset-3">
            <div class="login-style">
            <h2>Silahkan Login</h2>
                <form action="controller/controller-login-admin.php" method="POST">
                <div class="form-group">
                    <label for="username">Username:</label>
                    <input type="text" name="username" class="form-control" id="username">
                </div>
                <div class="form-group">
                    <label for="pwd">Password:</label>
                    <input type="password" name="password" class="form-control" id="pwd">
                </div>
                    <button type="submit" name="submit-admin-login" class="btn btn-primary">Submit</button>
                </form> 
            </div>
        </div>
    </div>
</div>

<?php include 'view/template/footer.php' ?>

控制器

<?php 
require_once $_SERVER['DOCUMENT_ROOT']. '/project-school-frontend/admin/model/admin-model-master.php';

if (isset($_POST['submit-admin-login'])){
    $username=mysqli_real_escape_string($koneksi, $_POST['username']);
    $password=mysqli_real_escape_string($koneksi, md5($_POST['password']));
    loginUser($username, $password);
}

（控制器工作正常）

型号：

<?php

require_once $_SERVER['DOCUMENT_ROOT']. '/project-school-frontend/config/database.php';

function loginUser($username, $password){

    global $koneksi;
    if (empty($username) && !empty($password)) 
        {
            $_SESSION['pesan'] = 'Userid harus diisi';
            $_SESSION['alert'] = 'info';
            header('location:../login.php');
        }
        elseif (empty($password) && !empty($username)) 
        {
            $_SESSION['pesan'] = 'Password harus diisi';
            $_SESSION['alert'] = 'info';
            header('location:../login.php');
        }
        elseif (empty($username && $password)) 
        {
            $_SESSION['pesan'] = 'Userid dan password wajib diisi';
            $_SESSION['alert'] = 'info';
            header('location:../login.php');
        }
        else
        {
            $sql= "SELECT * FROM admin WHERE username='$username' AND password='$password'";
            $query= mysqli_query($koneksi, $sql);
            $result= mysqli_num_rows($query);
            $row = mysqli_fetch_array($query);

            if($result > 0)
            {
                session_start();
                $_SESSION['username']=$row['username'];
                $_SESSION['level'] = $row['level'];
                header('Location: ../view/admin-dashboard.php');
            }
            else
            {
                header('Location: ../login.php');
            }
        }
}

（这是如何开始的。模特）

我该怎么办？

Answer 1

我可以看到一些问题。

此功能做得太多，需要重新安排
比较时出现错误
您必须在该sql语句上绑定参数，它不安全并且可能会弄乱查询，具体取决于放入这些字段的内容
不要将session_start()置于if条件
您应该使用password_hash()和password_verify()（或等效的库）进行密码存储和比较

<强> /config.php

有一个包含基本内容的配置文件，并且总是在每个顶级页面上包含页面作为第一个加载的内容

<?php
# Error reporting ON for development
error_reporting(E_ALL);
ini_set('display_errors',1);
# Define separators for full compatibility
define('DS',DIRECTORY_SEPARATOR);
define('ROOT_DIR',__DIR__);
define('FUNCTIONS',ROOT_DIR.DS.'functions');
# Start the session by default
session_start();
# Add the database
require_once(ROOT_DIR.DS.'project-school-frontend'.DS.'config'.DS.'database.php');

<强> /functions/setError.php

创建一个将执行此部分的函数，以便您可以重复使用它。

<?php
function setError($pesan,$alert,$redirect = false)
    {
        $_SESSION['pesan'] = $pesan;
        $_SESSION['alert'] = $alert;
        # Redirect if set
        if($redirect) {
            header("Location: {$redirect}");
            exit;
        }
    }

<强> /functions/loginUser.php

我不会使用全局连接，而是使用函数中的参数来提供连接。

<?php
function loginUser($koneksi, $username, $password){
    # Add messaging error
    include_once(FUNCTIONS.DS.'setError.php');
    # Trim out values
    $username = (!empty($username))? trim($username) : false;
    $password = (!empty($password))? trim($password) : false;
    # First check if either value is empty
    if(empty($username) || empty($password)) {
        # If both empty, set message
        if(empty($username) && empty($password))
            $msg = 'Userid dan password wajib diisi';
        # If username empty, set message
        elseif(empty($username))
            $msg = 'Userid harus diisi';
        # If password empty, set message
        elseif(empty($password))
            $msg = 'Password harus diisi';
        # If something is really wrong, make unknown
        else
            $msg = 'Unknown error';
        # Set session values, redirec
        setError($msg,'info','../login.php');
    }
    else {
        # Fetching the user from DB should be a function like getAdmin($koneksi,$username,$password)
        # !***** BIND PARAMETERS HERE, THIS IS UNSAFE!!! ******!
        $sql= "SELECT * FROM admin WHERE username='$username' AND password='$password'";
        $query= mysqli_query($koneksi, $sql);
        $result= mysqli_num_rows($query);
        $row = mysqli_fetch_array($query);

        if($result > 0){
            $_SESSION['username'] = $row['username'];
            $_SESSION['level']    = $row['level'];
            header('Location: ../view/admin-dashboard.php');
            exit;
        }
        else{
            setError('Invalid Username or Password','info','../login.php');
        }
    }
}

登录页面无法继续请求？

1 个答案: