我在使用登录系统时遇到问题,我可以使用任何用户名和密码登录,但我没有解决方法
如果有人可以帮助我将不胜感激
这里是我的登录系统
function userLog() {
global $connect;
if(isset($_POST['userLog'])) {
$username = trim(protect($_POST['username']));
$password = trim(protect($_POST['password']));
if(empty($username)) {
$_SESSION['message'] = '';
header('Location: index.php');
exit();
} elseif (empty($password)) {
$_SESSION['message'] = '';
header('Location: index.php');
exit();
}
$userSQL = "SELECT * FROM users WHERE username = :username";
$userLog = $connect->prepare($userSQL);
$userLog->bindValue(':username', $username);
$userLog->execute();
$userLog->fetchAll();
#PLACE FOR SELECT DATA FROM SQL TO IMPORT TO SESSION
$sql = "SELECT * FROM users";
$stm = $connect->prepare($sql);
$stm->execute();
$row = $stm->fetch();
####################################################
if($userLog) {
$_SESSION['user_id'] = $row['user_id'];#id(mysql)
$_SESSION['username'] = $row['username'];#user(mysql)
$_SESSION['email'] = $row['email'];#email(mysql)
$_SESSION['f_name'] = $row['first_name'];#fname(mysql)
$_SESSION['l_name'] = $row['last_name'];#lname(mysql)
header('Location: index.php');
exit();
} else {
}
}
}
对不起,英语不好
这里您不检查任何密码,因此任何人当然都可以登录,您应该像这样来解决它:
$userSQL = "SELECT * FROM users WHERE username = :usr AND password = :pwd";
$userLog = $connect->prepare($userSQL);
$userLog->bindValue(':usr', $username);
$userLog->bindValue(':pwd', $password);
$userLog->execute();
$users = $userLog->fetchAll();
if(count($users) == 0) {
// fail here, no one to login
exit();
} elseif(count($users) > 1) {
// Found more than one user, this should not happen, maybe fail.
}
如果此检查通过,则用户已登录,此外$users[0]保留您的用户信息
我无法深入创建课程!您需要检查课程。
我尽力纠正了您的代码,我使用bindParam代替bindValue。
我希望您使用的是pdo,它表明您是:)。请在其他所有内容之前将session_start();放在页面顶部。
function userLog() {
global $connect;
if(isset($_POST['userLog'])) {
$username = trim($_POST['username']);
$password = trim($_POST['password']);
if(empty($username)) {
$_SESSION['message'] = 'Enter username';
header('Location: index.php');
exit();
} elseif (empty($password)) {
$_SESSION['message'] = 'Enter password';
header('Location: index.php');
exit();
}else{
$sql = "SELECT * FROM users WHERE username = :username";
if($stmt = $connect->prepare($sql)){
$stmt->bindParam(':username', $param_username, PDO::PARAM_STR);
$param_username = $username;
if($stmt->execute()){
$row = $stmt->fetch();
if($row['username'] === 1){
$hashed_password = $row['password'];
$email = $row['email'];
$name = $row['f_name'];
$lastname = $row['l_name'];
$id = intval($row['user_id']);
if(password_verify($password, $hashed_password)){
session_regenerate_id();
$_SESSION["loggedin"] = true;
$_SESSION['user_id'] = $id;
$_SESSION['username'] = $username;
$_SESSION['email'] = $email;
$_SESSION['f_name'] = $name;
$_SESSION['l_name'] = $lastname;
header('Location: index.php');
exit();
}else{
$_SESSION['message'] = 'wrong password';
}
}else{
$_SESSION['message'] = 'wrong username';
}
}else{
$_SESSION['message'] = 'User not found';
}
}else{
$_SESSION['message'] = 'Something went wrong';
}
}
}
}
我让您重定向到错误页面
UPDATE:这是一个简单的类示例,搜索创建类的正确方法。
class userLog{
/** @var object $connect Copy of PDO connection */
private $connect;
/** @var object of the logged in user */
private $user;
/** @var string error msg */
private $msg;
public function __construct($connect) {
$this->connect = $connect;
}
public function login($username,$password){
$stmt = $this->connect->prepare('SELECT * FROM users WHERE username = ? ');
$stmt->execute([$username]);
$user = $stmt->fetch();
if(password_verify($password,$user['password'])){
$this->user = $user;
session_regenerate_id();
$_SESSION['user']['user_id'] = $user['user_id'];
$_SESSION['user']['fname'] = $user['fname'];
$_SESSION['user']['lname'] = $user['lname'];
$_SESSION['user']['email'] = $user['email'];
return true;
}else{
$this->msg = 'Invalid login information';
//you can change ajax response to session error
return false;
}
}
}
请注意,此功能需要ajax返回响应。