我不愿意成为新手,请问您可以解决此代码,或者至少告诉我如何做,但是我在这里进行了一个月的尝试,以弄清为什么它不起作用,如果不明显,我会我从2月才开始编写代码,因此我的知识非常有限,我一直在研究几门不同的课程,并且已经成功地使用md5和许多其他不太安全的方式编写了类似的脚本,但是我不想将网站放到网上这些脚本。
我的问题是我可以注册一个用户密码,用户名等,并将其正确存储在数据库中并进行哈希处理,但是当我尝试以该用户身份登录时,我不知道为什么我没有正确验证密码,我总是被引导到pwd错误行。
我在一周中大部分时间都在工作,除了周末,几乎没有时间去修改它,但这是现在的第四个周末,id真的很乐意解决此问题,而不必重写整个内容。我真的很想使用准备好的语句来做这样的事情,我已经将每条语句与php手册进行了比较,它对我来说看起来很有效,我又一次又一次地遍历了它,试图找出问题所在,但是我发现了所有问题检查似乎应该工作。我迷路了。
这里是某人查看正在发生什么情况所需的文件。 。 。
注册脚本
<?php
require "header.php";
?>
<main>
<div class="wrapper-main">
<section class="section-default">
<h1>Signup</h1>
<form class="form-signup" action="includes/signup.inc.php" method="POST">
<input type="text" name="mailuid" placeholder="Username">
<input type="email" name="mail" placeholder="E-mail">
<input type="password" name="pwd" placeholder="Password">
<input type="password" name="pwd-repeat" placeholder="Repeat Password">
<button type="submit" name="signup-submit">Signup</button>
</form>
</section>
</div>
</main>
<?php
require "footer.php";
?>
<?php
if (isset($_POST['signup-submit'])) {
require 'dbh.inc.php';
$username = $_POST['mailuid'];
$email = $_POST['mail'];
$password = $_POST['pwd'];
$passwordRepeat = $_POST['pwd-repeat'];
/// checks that user filled all feilds
if (empty($username) || empty($email) || empty($password) || empty($passwordRepeat)) {
header("Location: ../signup.php?error=emptyfeilds&uid=".$username."&mail=".$email); //error msgs to user
exit();
}
else if (!filter_var($email, FILTER_VALIDATE_EMAIL) && !preg_match("/^[a-zA-Z0-9]*$/", $username)) {
header("Location: ../signup.php?error=invalidmail&uid");
exit();
}
else if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
header("Location: ../signup.php?error=invalidmail&uid=".$username);
exit();
}
else if (!preg_match("/^[a-zA-Z0-9]*$/",$username)) {
header("Location: ..signup.php?error=imvalidui&mail=".$email);
exit();
}
else if ($password !== $passwordRepeat) {
header("Location: ../signup.php?error=passwordcheck&id=".$username."&mail=".$email);
exit();
}
else {
// checks for matching users in db
$sql = "SELECT * FROM users WHERE uidUsers=?";
$stmt = mysqli_stmt_init($conn);
if (!mysqli_stmt_prepare($stmt, $sql)) {
header("Location: ../signup.php?error=sqlerror");
exit();
}
else {
mysqli_stmt_bind_param($stmt, "s", $username);
mysqli_stmt_execute($stmt);
mysqli_stmt_store_result($stmt);
$resultcheck = mysqli_stmt_num_rows($stmt);
if ($resultcheck > 0) {
header("Location: ../signup.php?error=usertaken=".$username);
exit();
}
else {
$sql = "INSERT INTO users (uidUsers, emailUsers, pwdUsers) VALUES (?, ?, ?)";
$stmt = mysqli_stmt_init($conn);
if (!mysqli_stmt_prepare($stmt,$sql)) {
header("Location: ../signup.php?error=sqlerror");
exit();
}
else {
$hashedPwd = password_hash($password, PASSWORD_DEFAULT);
mysqli_stmt_bind_param($stmt, "sss", $username,$email,$hashedPwd);
mysqli_stmt_execute($stmt);
header("Location: ../index.php?signup=success");
exit();
}
}
}
}
mysqli_stmt_close($stmt);
mysqli_close($conn);
}
else {
header("Location: ../signup.php");
exit();
}
现在登录脚本
<?php
if (isset($_POST['login-submit'])) {
require 'dbh.inc.php';
$mailuid = $_POST['mailuid'];
$password = $_POST['pwd'];
if (empty($mailuid) || empty($password)) {
header("Location: ../index.php?error=emptyfields");
exit();
}
else {
$sql = "SELECT * FROM users WHERE uidUsers=?;";
$stmt = mysqli_stmt_init($conn);
if (!mysqli_stmt_prepare($stmt, $sql)) {
header("Location: ../index.php?error=sqlerror");
exit();
}
else {
mysqli_stmt_bind_param($stmt, "s", $mailuid);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);
if ($row = mysqli_fetch_assoc($result)) {
$pwdcheck = password_verify($password, $row['pwdUsers']);
if ($pwdCheck == false) {
header("Location: ../index.php?error=wrongpwd");
exit();
}
else if ($pwdCheck == true) {
session_start();
$_SESSION['userId'] = $row['idUsers'];
$_SESSION['userUid'] = $row['uidUsers'];
header("Location: ../index.php?login=success");
exit();
}
else {
header("Location: ../index.php?error=wrongpwd");
exit();
}
}
else {
header("location: ../index.php?error=nouser");
exit();
}
}
}
}
else {
header("Location: ../index.php");
exit();
}
您将用户名放在uidUsers
中,将电子邮件放在emailUsers
字段中,然后用"SELECT * FROM users WHERE uidUsers=?;"
读取并绑定到$mailuid
。
我认为应该改为"SELECT * FROM users WHERE emailUsers=?;"
。
还请确保保存密码哈希的数据库字段的类型为varchar(255)
,较短的字段可以截断密码哈希。
谢谢PaulT。您说得对,关于错误日志的提示有很大帮助,我还没有意识到。正如我所说的,我不久前才刚刚开始学习所有这一切。可悲的是,我在一个教程中被教导要以这种方式编写password_verify语句。我将相关零件更改为。 。 。
<?php
if (isset($_POST['login-submit'])) {
require 'dbh.inc.php';
$mailuid = $_POST['mailuid'];
$password = $_POST['pwd'];
if (empty($mailuid) || empty($password)) {
header("Location: ../index.php?error=emptyfields");
exit();
}
else {
$sql = "SELECT * FROM users WHERE uidUsers=?";
$stmt = mysqli_stmt_init($conn);
if (!mysqli_stmt_prepare($stmt, $sql)) {
header("Location: ../index.php?error=sqlerror");
exit();
}
else {
mysqli_stmt_bind_param($stmt, "s", $mailuid);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);
if ($row = mysqli_fetch_assoc($result)) {
if (password_verify($password, $row['pwdUsers'])) {
session_start();
$_SESSION['userId'] = $row['idUsers'];
$_SESSION['userUid'] = $row['uidUsers'];
header("Location: ../index.php?login=success");
exit();
}
else {
header("Location: ../index.php?error=wrongpwd");
exit();
}
}
else {
header("location: ../index.php?error=nouser");
exit();
}
}
}
}
else {
header("Location: ../index.php");
exit();
}
现在所有这些最终都按预期工作。是否存在任何未解决的安全问题?