密码哈希工作正常,但无法重定向
我正在使用 password_hash 做一个简单的登录页面。
$hp=password_hash( $p, PASSWORD_DEFAULT);
我的登录代码包含许多if/else语句,并且在达到redirect部分之前一直可以正常工作。
<?php
session_start();
if (isset($_POST['submit'])) {
require ('mysqli_connect.php');
if (!empty($_POST['username'])) {
$u = mysqli_real_escape_string($dbcon, $_POST['username']);
}
else {
$u = FALSE;
echo '<p class ="error" >You forgot to enter your username</p>' ;
}
if(!empty($_POST['psword'])){
$p= mysqli_real_escape_string($dbcon, $_POST['psword']);
}
else {
$p= FALSE;
echo '<p class = "error">You forgot to enter your password</p>';
}
if ($u && $p){
$sql = "SELECT * FROM users WHERE username='$u' ";
mysqli_store_result($dbcon);
$result = mysqli_query($dbcon,$sql);
if (@mysqli_num_rows($result) == 1) {// to check the username
if($row = mysqli_fetch_assoc($result)){
//de-hashing password
$hashedPwdCheck = password_verify($p, $row['password']);
if($hashedPwdCheck == false){
echo "wrong password";
}
elseif ($hashedPwdCheck == true){
$_SESSION = mysqli_fetch_array ($result, MYSQLI_ASSOC);
$_SESSION['user_level'] = (int) $_SESSION['user_level'];
//redirect the user according to user_level
if ($_SESSION['user_level'] === 1) {
header ("location: admin-page.php");
exit();
}
elseif ($_SESSION['user_level'] === 2) {
header ("location: coordinator-page.php");
exit();
}
else {
header ("location: supervisor-homepage.php");
exit();
}
}
}
else {
echo '<p class="error">There is something wrong. Please try again ';
}
}
else {
echo '<p class="error">The username you entered is incorrect.<br> Please try again ';
}
}
else {
// If there was a problem.
echo '<p class="error">Please try again. 2</p>';
}
}
else {
echo "There was an error, please try again";
}
?>
我的$hashedPwdCheck返回true,但是一旦我输入了“根据用户级别重定向”编码,它就会给出该输出;
这是我的html格式:
<form action="" method="post">
<div class = "container" >
<p align= "center"><label for="username"><b>Username:</label>
<input id="username" type="text" placeholder="Username" name="username"
size="30" maxlength="30"
value="<?php if (isset($_POST['username'])) echo $_POST['username'];?>
"></p>
<br>
<p align= "center"><label for="psword1">Password:</b></label>
<input id="psword" type="password" placeholder="Password" name="psword"
size="30" maxlength="12"
value="<?php if (isset($_POST['psword'])) echo $_POST['psword']; ?>" >
<br>
<p align= "center"><input type="submit" name="submit" value="Login"
border: 3px ;></p>
</div>
</form>
3 个答案:
答案 0 :(得分:2)
我对php不太满意,但是如果在这里,应该在其他之间是否有空格?
else if ($_SESSION['user_level'] === 2) {
更新
这项工作可以吗?
if($hashedPwdCheck){
$_SESSION = mysqli_fetch_array ($result, MYSQLI_ASSOC);
$_SESSION['user_level'] = (int) $_SESSION['user_level'];
//redirect the user according to user_level
if ($_SESSION['user_level'] === 1) {
header ("location: admin-page.php");
exit();
}
elseif ($_SESSION['user_level'] === 2) {
header ("location: coordinator-page.php");
exit();
}
else {
header ("location: supervisor-homepage.php");
exit();
}
}
else {
echo '<p class="error">Wrong password';
在我看来,检查true和false是多余的;这样可以消除一般性的“出错的地方”错误,并帮助您进行故障排除。
答案 1 :(得分:1)
首先,我将尝试回答您的第一个问题。很快地查看了您的代码,我注意到了这一行:
$_SESSION = mysqli_fetch_array ($result, MYSQLI_ASSOC);
在我看来,您似乎要用SQL查询的结果替换$ _SESSION超全局变量。我认为这不是正确的方法。
尝试以下方法:
$_SESSION["user"] = mysqli_fetch_array ($result, MYSQLI_ASSOC);
然后使用
引用关联数组中的“ user_level”列$_SESSION["user"]["user_level"]
对于第二部分,我将提供一些建议。 不要使用mysqli。不推荐使用且不安全。 <---这是错误的!我很傻,没有注意这一点!
Mysqli很好。.但是PDO更加灵活(取决于您在做什么)..我想到的是mysqli http://php.net/manual/en/function.mysql-connect.php
之前的版本。但是PDO仍然很棒,值得学习。 这里的教程非常好-> https://phpdelusions.net/pdo
感谢以下评论指出了我的废话。
答案 2 :(得分:1)
我想过几次,我可以确定地发现代码在哪里中断,但是我不确定,当我测试您的代码时,它已重定向(或尝试)到supervisor页面这是我所期望的。也就是说,该代码容易受到sql注入的攻击-在以下阶段,也许以下内容可能会有所帮助。
<?php
session_start();
try{
if( $_SERVER['REQUEST_METHOD']=='POST' ){
if( isset( $_POST['submit'], $_POST['username'], $_POST['psword'] ) ) {
/* all form processing: start */
require 'mysqli_connect.php';
/*
do some rudimentary sanitizing of input data though
by using a `prepared statement` you are fairly well
protected from malicious user input.
*/
$args = array(
'username' => FILTER_SANITIZE_STRING,
'psword' => FILTER_SANITIZE_STRING
);
$_POST=filter_input_array( INPUT_POST, $args );
/* assign variables from POST data */
$username = !empty( $_POST['username'] ) ? $_POST['username'] : false;
$password = !empty( $_POST['psword'] ) ? $_POST['psword'] : false;
if( !$username )throw new Exception( 'You forgot to enter your username' );
if( !$password )throw new Exception( 'You forgot to enter your password' );
$sql='select `password` as `pwd`, `user_level` from `users` where `username`=?';
$stmt=$dbcon->prepare( $sql );
/* Abandon ship if the prepared statement failed */
if( !$stmt )throw new Exception( 'Failed to prepare SQL Query' );
/* all good, bind placeholder to a variable */
$stmt->bind_param( 's', $username );
/* run the query */
$result = $stmt->execute();
if( !$result )throw new Exception( 'Query failed' );
$stmt->store_result();
$stmt->bind_result( $pwd, $userlevel );
$stmt->fetch();
$stmt->close();
/* now confirm that $pwd === $password using password_verify */
$verified = password_verify( $password, $pwd );
/* continue logic for success / failure */
if( !$verified ){
throw new Exception( 'Unable to validate username &/or password' );
} else{
switch( $userlevel ){
case 1:$page='admin-page.php';break;
case 2:$page='coordinator-page.php';break;
default:$page='supervisor-homepage.php';break;
}
/* set SESSION variables */
$_SESSION['user_level']=$userlevel;
$_SESSION['username']=$username;
exit( header( sprintf( 'Location: %s', $page ) ) );
}
/* all form processing: end */
exit();
} else {
throw new Exception('Missing POST parameters');
}
}
}catch( Exception $e ){
exit( sprintf( '<p class="error">There was a problem - %s @ line %d</p>', $e->getMessage(), $e->getLine() ) );
}
?>
<!DOCTYPE html>
<html lang='en'>
<head>
<meta charset='utf-8' />
<title>login</title>
<style>
label{font-weight:bold}
[type='submit']{float:none;margin:auto}
p{text-align:center}
</style>
</head>
<body>
<?php
/* values for input fields */
$username = !empty( $_POST['username'] ) ? $_POST['username'] : '';
$password = !empty( $_POST['psword'] ) ? $_POST['psword'] : '';
?>
<form method='post'>
<div class = 'container' >
<p>
<label for='username'>Username:</label>
<input id='username' type='text' placeholder='Username' name='username' size='30' maxlength='30' value='<?php echo $username; ?>' />
</p>
<p>
<label for='psword1'>Password:</label>
<input id='psword' type='password' placeholder='Password' name='psword' size='30' maxlength='12' value='<?php echo $password; ?>' />
<p>
<input type='submit' name='submit' value='Login'>
</div>
</form>
</body>
</html>
相关问题
最新问题
- 我写了这段代码,但我无法理解我的错误
- 我无法从一个代码实例的列表中删除 None 值,但我可以在另一个实例中。为什么它适用于一个细分市场而不适用于另一个细分市场?
- 是否有可能使 loadstring 不可能等于打印?卢阿
- java中的random.expovariate()
- Appscript 通过会议在 Google 日历中发送电子邮件和创建活动
- 为什么我的 Onclick 箭头功能在 React 中不起作用?
- 在此代码中是否有使用“this”的替代方法?
- 在 SQL Server 和 PostgreSQL 上查询,我如何从第一个表获得第二个表的可视化
- 每千个数字得到
- 更新了城市边界 KML 文件的来源?