每次我使用用户帐户登录时,它将带我进入管理页面而不是用户页面。另外,我使用哈希算法来保护密码,但是每次尝试使用正确的密码登录时,密码将无法正常工作。
我可以使用Admin和User Accounts登录。但是,密码是经过哈希处理的,因此当我尝试使用该密码登录时它无法使用。当我注销时也会出现错误。我可以登录的唯一方法是,如果我手动更改了在mysql数据库上显示为散列的密码,则将其更改为原始密码(但是,此密码意味着该密码可以由该用户的每个用户看到,就像我拥有的一样)手动更改)。
<?php
session_start();
$heading = 'Login/Register';
require 'layout.php';
?>
<?php
$server = 'v.je';
$username = 'student';
$password = 'student';
$schema = 'csy2028';
$pdo = new PDO('mysql:dbname=' . $schema . ';host=' . $server, $username, $password,
[ PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION]);
if (isset($_POST['signup'])){
$name = $_POST['name'];
$email = $_POST['email'];
$username = $_POST['username'];
$password = $_POST['password'];
$password_encrypted = password_hash($password, PASSWORD_BCRYPT);
$insert = $pdo->prepare("INSERT INTO users (name, email, username, password)
VALUES(:name, :email, :username, :password)");
$insert->bindParam(':name', $name);
$insert->bindParam(':email', $email);
$insert->bindParam(':username', $username);
$insert->bindParam(':password', $password_encrypted);
$insert->execute();
}
else if (isset($_POST['login'])){
$username = $_POST['username'];
$password = $_POST['password'];
$us=$_POST['userType'];
$select = $pdo->prepare("SELECT * FROM users WHERE username='$username' and password='$password' and userType='$us' ");
$select->setFetchMode(PDO::FETCH_ASSOC);
$select->execute();
$data=$select->fetch();
$admin = "admin/ham123";
$admin = "admin";
if($data['username']!=$username && $data['password']!=$password){
echo "invalid username or password";
}
else if($data['username']==$username && $data['password']==$password){
$_SESSION['adminloggedin']=$data['email'];
$_SESSION['name']=$data['name'];
header("location:adminprofile.php");
}
else if($data['username']==$username && $data['password']==$password && $us==$data['userType']){
$_SESSION['email']=$data['email'];
$_SESSION['name']=$data['name'];
header("location:userprofile.php");
}
}
?>
<form id='login' action='login.php' method='post'>
<fieldset >
<legend>Login</legend>
<label for='username' >Username:</label>
<input type='text' name='username' id='username' maxlength="50" />
<label for='password' >Password*:</label>
<input type='password' name='password' id='password' maxlength="50" />
<select name="userType" >
<option value="" disabled selected>Select User Type</option>
<option value="User">User</option>
<option value="Admin">Admin</option>
</select>
<label>User Type</label>
<button class="button" name="login" style="vertical-align:middle"><span>Login</span></button>
</fieldset>
</form>
<form id='register' action='login.php' method='post' enctype="multipart/form-data">
<fieldset >
<legend>Register User</legend>
<input type='hidden' name='submitted' id='submitted' value='1'/>
<label for='name' >Name: </label>
<input type='text' name='name' id='name' maxlength="50" />
<label for='email' >Email:</label>
<input type='text' name='email' id='email' maxlength="50" />
<label for='username' >Username:</label>
<input type='text' name='username' id='username' maxlength="50" />
<label for='password' >Password*:</label>
<input type='password' name='password' id='password' maxlength="50" />
<button class="button" name="signup" style="vertical-align:middle"><span>Register</span></button>
</fieldset>
</form>
<?php
require 'footer.php'
?>
答案 0 :(得分:0)
您应更改密码验证码$data['password']==$password
,该密码应为:
password_verify ($password , $data['password'])
编辑
您还有其他问题。选择:
$select = $pdo->prepare("SELECT * FROM users WHERE username='$username' and password='$password' and userType='$us' ");
$select->setFetchMode(PDO::FETCH_ASSOC);
$select->execute();
将永远不会返回任何东西,因为您对密码进行了哈希处理以将其存储在数据库中,并且知道您正在将其与纯文本密码进行比较。您应该将其更改为:
$select = $pdo->prepare("SELECT * FROM users WHERE username='$username' and userType='$us' ");
$select->setFetchMode(PDO::FETCH_ASSOC);
$select->execute();
现在,您可以从数据库中获取密码哈希并进行比较。因此,其余代码应为:
if(!password_verify ($password , $data['password'])){
echo "invalid username or password";
} else if($data['userType']=='admin'){
$_SESSION['adminloggedin']=$data['email'];
$_SESSION['name']=$data['name'];
header("location:adminprofile.php");
} else {
$_SESSION['email']=$data['email'];
$_SESSION['name']=$data['name'];
header("location:userprofile.php");
}
您不需要验证用户,因为您已经在数据库中对其进行了验证。因此,如果密码错误,则会收到错误消息,如果可以,请测试用户类型是否为“ admin”(或所需的其他类型)。如果可以,请以管理员身份登录,否则以用户身份登录。