我正在尝试让用户登录 php
Posted
技术标签:
【中文标题】我正在尝试让用户登录 php【英文标题】:i am trying to make a user login in php 【发布时间】:2014-12-28 23:11:36 【问题描述】:当我在本地主机的 phpmyadmin 中单击浏览时,我试图让用户显示。我创建了一个名为 test 的表。我正在尝试,当您注册时,它会在数据库中显示用户并注册他或她,但它不使用此代码: 希望.php:
<?php
$reg = @$_users['reg'];
$fn = "";
$ln = "";
$un = "";
$em = "";
$em2 = "";
$pswd = "";
$pswd2 = "";
$d = "";
$u_check = "";
$fn = strip_tags(@$_test['fname']);
$ln = strip_tags(@$_test['lname']);
$un = strip_tags(@$_test['username']);
$em = strip_tags(@$_users['email']);
$em2 = strip_tags(@$_users['email2']);
$pswd = strip_tags(@$_users['password']);
$pswd2 = strip_tags(@$_users['password2']);
$d = date("Y-m-d");
if ($reg)
if ($em == $em2)
$u_check = mysql_query("SELECT username FROM users WEHRE username='$un'");
$check = mysql_num_rows($u_check);
if ($check == 0)
if ($fn && $ln && $un && $em && $em2 && $pswd && $pswd2)
if ($pswd == $pswd2)
if (strlen($un) > 25 || strlen($fn) > 25 || strlen($ln) > 25)
echo "The maximum limit for username/first name/last name is 25 characters!";
else
if (strlen($pswd) > 30 || strlen($pswd) < 5)
echo "Your password must be between 5 and 30 characters long!";
else
$pswd = md5($pswd);
$pswd2 = md5($pswd2);
$query = mysql_query("INSERT INTO users VALUES ('', '$un', '$fn', '$ln','$em', '$pswd', '$d','0')");
die("<h2>Welcome to communicate</h2>Login to your account to get started ...");
else
echo "Your passwords don't match!";
else
echo "Please fill in all of the fields";
else
echo "Username already taken ...";
else
echo "Your E-mails don't match!";
if (isset($_users["user_login"]) && isset($_users["password_login"]))
$user_login = preg_replace('#[^A-Za-z0-9]#i', '', $_users["user_login"]);
$password_login = preg_replace('#[^A-Za-z0-9]#i', '', $_users["password _login"]);
?>
<div style="width: 800px; margin: 0px auto 0px auto;">
<table>
<tr>
<td valign="top">
<h2>Already a member? Sign in below!</h2>
<form action="hoping.php" method="users">
<input type="text" name="username" size="25" placeholder="Username"/><br /><br />
<input type="text" name="Password2" size="25" placeholder="Password (again)"/><br /><br />
<input type="submit" name="reg" value="Sign Up!">
</form>
<td>
<td >
<h2>Sign Up Below!</h2>
<form action="hoping.php" method="users">
<input type="text" name="fname" size="25" placeholder="First Name" />
<p />
<input type="text" name="lname" size="25" placeholder="Last Name"/><br /><br />
<input type="text" name="username" size="25" placeholder="username"/><br /><br />
<input type="text" name="email" size="25" placeholder="Email Address"/><br /><br />
<input type="text" name="email2" size="25" placeholder="Email Address (again)"/><br /><br />
<input type="text" name="password" size="25" placeholder="Password"/><br /><br />
<input type="text" name="Password2" size="25" placeholder="Password (again)"/><br /><br />
<input type="submit" name="reg" value="Sign Up!">
</td>
</tr>
</table>
<?php include ("./connect.inc.php");
connect.inc.php
<?php
mysql_connect("localhost", "root", "") or die("Couldnt conocet to server");
mysql_select_db("test") or die("Could'nt select DB");
?>
【问题讨论】:
不要使用mysql*!它已被弃用且非常不安全。像这样,你对 SQL 注入持开放态度。 问题是什么?it does not using this code 是什么意思?
表示使用此代码时,不注册用户。
除了mysql还应该用什么?
我已经为你重写了整个代码。它充满了错误和错误,我什至无法开始指出它们。为了您的安全,我将使用 PDO() 而不是 mysql() 和准备好的语句。不过需要一些时间。
【参考方案1】:
好的,这是改进后的脚本。请确保您阅读了所有 cmets 并在需要的地方进行了更正,因为这不是现成的代码!
将您的 connect.inc.php 更改为(请确保填写所有必要信息):
<?php
$dbhost = ""; //MySQL host (usually: localhost)
$dbuser = ""; //MySQL user
$dbpass = ""; //MySQL password
$dbname = ""; //MySQL database name
$pdo = new PDO("mysql:host=".$dbhost.";dbname=". $dbname, $dbuser, $dbpass);
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
?>
将希望.php 更改为:
<?php
require "connect.inc.php";
/*
Using md5 to encrypt a password is not secure.
I've written a much more secure function for password encryption.
However this requires your database to have enough room for it.
For example: `password` VARCHAR(128) NOT NULL
If you need to alter your database to make the room, please
execute this command in phpMyAdmin (change password to whatever
the column name is in your users table):
ALTER TABLE `users` MODIFY COLUMN `password` VARCHAR(128);
If your database has the room for this, please set the following
variable to true. Otherwise leave it false to keep using md5.
*/
$secureCrypt = false;
if(isset($_POST['login']))
$sql = "SELECT * FROM users WHERE username = :user";
$pre = $pdo->prepare($sql);
$pre->bindValue(":user", $_POST['Username']);
if($pre->execute())
$data = $pre->fetch();
if($secureCrypt)
//Please correct 'column_name_here'.
//I was unable to do this for you because I lacked the column name
//where the passwords are stored.
if(crypt($_POST['Password'], $data['column_name_here']) == $data['column_name_here'])
echo "You have succesfully logged in!<br />";
else
echo "Invalid password!<br />";
else
if(md5($_POST['Password']) == $data['column_name_here'])
echo "You have succesfully logged in!<br />";
else
echo "Invalid password!<br />";
else
echo "\nMySQL returned error:\n";
print_r($pdo->errorInfo());
if(isset($_POST['register']))
$error = false;
$error_text = "";
//Check names for illegal characters
// Allows A-Z, a-z, underscore( _ ), dots( . ), spaces and dashes( - )
function nameRegex($var)
if(!preg_match("/^[a-zA-Z_\. \-]+$/i", $var))
return true;
else
return false;
//Check names for illegal characters
// Allows A-Z, a-z, underscore( _ ), dots( . ) and dashes( - )
function userRegex($var)
if(!preg_match("/^[0-9a-zA-Z_\-]+$/i", $var))
return true;
else
return false;
//Check for valid mail address
function mailFilter($var)
if(filter_var($var, FILTER_VALIDATE_EMAIL) === false)
return true;
else
return false;
//Check if 2 values match
function matchValues($var1, $var2)
if($var1 != $var2)
return true;
else
return false;
//Check if username already exists
function checkUser($user)
$sql = "SELECT username FROM users WHERE username = :user";
$pre = $pdo->prepare($sql);
$pre->bindValue(":user",$user);
if($pre->execute())
$count = $pre->rowCount();
if($count > 0)
return true;
else
return false;
else
echo "\nMySQL returned error:\n";
print_r($pdo->errorInfo());
//Check for correct size
function checkSize($var, $size)
if(strlen($var) > $size)
return true;
else
return false;
//Securely encrypt user passwords
function cryptPass($pass, $rounds = 9)
$salt = "";
$saltChars = array_merge(range('A','Z'), range('a','z'), range(0,9));
for($i=0;$i<22;$i++)
$salt .= $saltChars[array_rand($saltChars)];
return crypt($pass, sprintf('$2y$%02d$', $rounds) . $salt);
if(nameRegex($_POST['fname']))
$error = true;
$error_text .= "Your First Name contains illegal characters!<br />";
if(nameRegex($_POST['lname']))
$error = true;
$error_text .= "Your Last Name contains illegal characters!<br />";
if(userRegex($_POST['username']))
$error = true;
$error_text .= "Your Username contains illegal characters!<br />";
if(mailFilter($_POST['email']))
$error = true;
$error_text .= "Your Email Address does not appear to be valid!<br />";
if(mailFilter($_POST['email2']))
$error = true;
$error_text .= "Your 2nd Email Address does not appear to be valid!<br />";
if(matchValues($_POST['email'], $_POST['email2']))
$error = true;
$error_text .= "It appears both Email Addresses did not match!<br />";
if(matchValues($_POST['password'], $_POST['password2']))
$error = true;
$error_text .= "It appears both Passwords did not match!<br />";
if(checkUser($_POST['username']))
$error = true;
$error_text .= "The Username is already taken by another user!<br />";
if(checkSize($_POST['fname'], 25))
$error = true;
$error_text .= "The First Name contains to many characters!<br />";
if(checkSize($_POST['lname'], 50))
$error = true;
$error_text .= "The Last Name contains to many characters!<br />";
if(checkSize($_POST['username'], 16))
$error = true;
$error_text .= "The Username contains to many characters!<br />";
if(checkSize($_POST['username'], 125))
$error = true;
$error_text .= "The Email address contains to many characters!<br />";
if(!$error)
if($secureCrypt)
$hashPass = cryptPass($_POST['password']);
else
$hashPass = md5($_POST['password']);
$sql = "INSERT INTO users VALUES ('',':username',':fname',':lname',':email',':password',':date','0')";
$pre = $pdo->prepare($sql);
$pre->bindValue(":username",$_POST['username']);
$pre->bindValue(":fname",$_POST['fname']);
$pre->bindValue(":lname",$_POST['lname']);
$pre->bindValue(":email",$_POST['email']);
$pre->bindValue(":password",$_POST['password']);
$pre->bindValue(":date",date("Y-m-d"));
if($pre->execute())
echo "You are succesfully registered. Welcome!";
else
echo "\nMySQL returned error:\n";
print_r($pdo->errorInfo());
else
echo "There are some problems with your registration.<br />";
echo "Please correct the following errors:<br /><br />";
echo $error_text;
echo "<br />";
?>
<!DOCTYPE html>
<html>
<head>
<title>Login Page</title>
<style>
#div1
width: 800px;
margin: 0px auto 0px auto;
#td1
width: 60%;
vertical-align: top;
#td2
width: 40%;
</style>
</head>
<body>
<div id="div1">
<table>
<tr>
<td id="td1">
<h2>Already a member? Sign in below!</h2>
<form action="hoping.php" method="post" id="user_login" accept-charset="utf-8">
<input type="text" name="username" size="25" placeholder="Username"/><br /><br />
<input type="password" name="Password" size="25" placeholder="Password"/><br /><br />
<input type="submit" name="login" value="Login!">
</form>
</td>
<td id="td2">
<h2>Sign Up Below!</h2>
<form action="hoping.php" method="post" id="user_register" accept-charset="utf-8">
<input type="text" name="fname" size="25" placeholder="First Name" value="<?php echo $_POST['fname'] ?>" /><br /><br />
<input type="text" name="lname" size="25" placeholder="Last Name" value="<?php echo $_POST['lname'] ?>" /><br /><br />
<input type="text" name="username" size="25" placeholder="username" value="<?php echo $_POST['username'] ?>" /><br /><br />
<input type="text" name="email" size="25" placeholder="Email Address" value="<?php echo $_POST['email'] ?>" /><br /><br />
<input type="text" name="email2" size="25" placeholder="Email Address (again)" value="<?php echo $_POST['email2'] ?>" /><br /><br />
<input type="text" name="password" size="25" placeholder="Password"/><br /><br />
<input type="text" name="password2" size="25" placeholder="Password (again)"/><br /><br />
<input type="submit" name="register" value="Sign Up!">
</form>
</td>
</tr>
</table>
</div>
</body>
</html>
【讨论】:
它给出了希望.php 中第 98 行的错误:注意:未定义变量:第 100 行 D:\Download\htdocs\hoping.php 中的 pre 致命错误:调用成员函数 bindValue( ) 在第 100 行和第 98 行的 D:\Download\htdocs\hoping.php 中的非对象上:注意:未定义的变量:第 98 行的 D:\Download\htdocs\hoping.php 中的 pdo 致命错误:调用第 98 行 D:\Download\htdocs\hoping.php 中非对象的成员函数 prepare() @Rarster 你像我告诉你的那样编辑了你的“connect.inc.php”吗?这些错误仅意味着未创建 PDO 对象。仅当您没有更改该文件或该文件与“hoping.php”不在同一文件夹中时,才会发生这种情况以上是关于我正在尝试让用户登录 php的主要内容,如果未能解决你的问题,请参考以下文章