PHP $_Session ,JS在成功插入用户名和密码后不允许会员登录

Posted

技术标签:

【中文标题】PHP $_Session ,JS在成功插入用户名和密码后不允许会员登录【英文标题】:PHP $_Session , JS not allowing member login after successful username and password inserted 【发布时间】:2022-01-20 17:33:21 【问题描述】:

所以,这个实现与 md5 密码检查一起工作,但在实施密码哈希检查(为了在我的数据库中更安全的密码存储)之后,不允许成员登录。输入正确的电子邮件和密码后的用户仅带回 index.php 页面。任何帮助,将不胜感激。这是我的 session.php 代码:

<?php
     session_start(); 
    //Check whether the session variable SESS_MEMBER_ID is present or not
    // do check

    if(!isset($_SERVER['HTTP_REFERER']))
        // redirect them to your desired location
        header('Location: custom_404.html');
        exit;
    
    if (!isset($_SESSION['alogin']) || (trim($_SESSION['alogin']) == ''))  ?>
    <!-- send to home page -->
    <script>
    window.location = "../index.php";
    </script>
    <?php
    
    $session_id=$_SESSION['alogin'];
    $session_depart = $_SESSION['arole'];
    ?>

这是在index.php 中应该工作的内容:

    <?php
    session_start();
    include('includes/config.php');
    if(isset($_POST['signin']))
    
        $username=$_POST['username'];
        $username=strtolower($username);
        $password=$_POST['password'];

        $sql ="SELECT * FROM tblemployees where EmailId = '$username'";
        $query= mysqli_query($conn, $sql);
        $count = mysqli_num_rows($query);

        if($count>0)
        
            $passwordCheck = mysqli_fetch_assoc($query)['Password'];
            if(!password_verify($password,$passwordCheck))
                echo "<script>alert('Wrong password please try again.');</script>";
            
            while ($row = mysqli_fetch_assoc($query)) 
                if ($row['role'] == 'Admin') 
                    $_SESSION['alogin']=$row['emp_id'];
                    $_SESSION['arole']=$row['Department'];
                    echo "<script type='text/javascript'> document.location = 'admin/admin_dashboard.php'; </script>";
                
                elseif ($row['role'] == 'Staff') 
                    $_SESSION['alogin']=$row['emp_id'];
                    $_SESSION['arole']=$row['Department'];
                    echo "<script type='text/javascript'> document.location = 'staff/index.php'; </script>";
                
                else 
                    $_SESSION['alogin']=$row['emp_id'];
                    $_SESSION['arole']=$row['Department'];
                    echo "<script type='text/javascript'> document.location = 'heads/index.php'; </script>";
                
            
         
        else
          
          echo "<script>alert('Wrong email or password please try again.');</script>";

        

    
    // $_SESSION['alogin']=$_POST['username'];
    //  echo "<script type='text/javascript'> document.location = 'changepassword.php'; </script>";
    ?>

【问题讨论】:

欢迎来到 SO!请阅读how to ask 并编辑您的问题以包含您的问题instead of an image of the code 中的实际代码。 使用var_dump($_SESSION); 查看会话中实际保存的内容。 @WOUNDEDStevenJones 我改了。 @Barmar 我应该把代码的 sn-p 放在哪里?我如何才能真正查看会话的内容,看看它是否真的保存了它。 已更新 - 我发现输出是 => array(0) 。我在这里做错了吗? 【参考方案1】:

您的登录代码错误。循环

while ($row = mysqli_fetch_assoc($query))

永远不会获取任何东西,因为您已经阅读了该行

$passwordCheck = mysqli_fetch_assoc($query)['Password'];

您应该只获取该行一次,并将其用于密码和角色检查。

您还应该使用准备好的语句来防止 SQL 注入。

<?php
session_start();
include('includes/config.php');
if(isset($_POST['signin']))

    $username=$_POST['username'];
    $username=strtolower($username);
    $password=$_POST['password'];

    $sql ="SELECT * FROM tblemployees where EmailId = ?";
    $stmt= mysqli_prepare($conn, $sql);
    mysqli_stmt_bind_param($stmt, "s", $username);
    mysqli_stmt_execute($stmt);
    $query = mysqli_stmt_get_result($stmt);
    $row = mysqli_fetch_assoc($query);
    if($row)
    
        $passwordCheck = $row['Password'];
        if(!password_verify($password,$passwordCheck))
            echo "<script>alert('Wrong email or  password please try again.');</script>";
         else 
            if ($row['role'] == 'Admin') 
                $_SESSION['alogin']=$row['emp_id'];
                $_SESSION['arole']=$row['Department'];
                echo "<script type='text/javascript'> document.location = 'admin/admin_dashboard.php'; </script>";
            
            elseif ($row['role'] == 'Staff') 
                $_SESSION['alogin']=$row['emp_id'];
                $_SESSION['arole']=$row['Department'];
                echo "<script type='text/javascript'> document.location = 'staff/index.php'; </script>";
            
            else 
                $_SESSION['alogin']=$row['emp_id'];
                $_SESSION['arole']=$row['Department'];
                echo "<script type='text/javascript'> document.location = 'heads/index.php'; </script>";
            
        
     
    else
        echo "<script>alert('Wrong email or password please try again.');</script>";
    


// $_SESSION['alogin']=$_POST['username'];
//  echo "<script type='text/javascript'> document.location = 'changepassword.php'; </script>";
?>

【讨论】:

谢谢!感谢您的帮助:)

以上是关于PHP $_Session ,JS在成功插入用户名和密码后不允许会员登录的主要内容,如果未能解决你的问题,请参考以下文章

如何将 $_SESSION 变量添加到 Ajax 请求中并将数据插入到 mysql 数据库 PHP 中?

php怎样在首页显示登录昵称

PHP 登录和 $_SESSION

PHP学习笔记:使用session来存储用户的登录信息

【php】SESSION保存短信验证码问题

求php实现登录成功后返回首页并在原登录处显示用户名的源代码(类似于铁血网的登录)