php - PDO 读取数据库,但不登录系统
问题描述
我目前有一个登录系统,我想将其从 Mysqli 转换为 PDO。
我目前有一个带有 phpMyAdmin/MySQL 附加数据库的网站。
我尝试转换所有内容,现在我将向您展示系统的 LOGIN.php 部分,因为我还没有触及注册部分。
这就是我所拥有的。
LOGIN.INC.PHP
<?php
require_once 'dbh.inc.php';
try {
$handler = new PDO("mysql:host=$servername;dbname=$dbname",
$username,
$password,
array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION));
} catch(PDOException $e){
echo $e->getName();
die();
}
//first we start a session
session_start();
//We then check if the user has clicked the login button
if (isset($_POST['submit'])) {
//Then we require the database connection
//require_once 'dbh.inc.php';
//And we get the data from the login form
$name = $_POST['name'];
$password = $_POST['password'];
//Error handlers
//Error handlers are important to avoid any mistakes the user might have made when filling out the form!
//Check if inputs are empty
if (empty($name) || empty($password)) {
header("Location: ../index.php?login=empty");
exit();
}
} else {
$stmt = $db->prepare("SELECT * FROM users WHERE user_name=:name");
$stmt->bindParam(':name', $name, PDO::PARAM_STR);
if ($stmt->execute()) {
header("location: ../index.php?login=error");
exit();
} else {
if ($row = $stmt->fetch(PDO::FETCH_ASSOC)) {
//de-hashing the password
$hashedpasswordCheck = password_verify($password, $row['user_password']);
if ($hashedpasswordCheck == false) {
header("location: ../index.php?login=error");
exit();
} elseif ($hashedpasswordCheck == true) {
//Log in the user here
$_SESSION['u_id'] = $row['user_id'];
$_SESSION['u_name'] = $row['user_name'];
header("location: ../index.php?login=success");
exit();
}
} else {
header("location: ../index.php?login=error");
exit();
}
}
}
DBH.INC.PHP
<?php
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "loginsystem";
try {
$conn = new PDO("mysql:host=$servername;dbname=$dbname",
$username,
$password,
array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION));
$stmt = $conn->prepare("SHOW DATABASES;");
$stmt->execute();
$stmt->setFetchMode(PDO::FETCH_ASSOC);
$result = $stmt->fetchAll();
print_r($result);
}
catch(PDOException $e) {
echo $e->getMessage();
}
$conn = null;
当我尝试登录时,我被重定向到此 url:
http://localhost/php44/includes/login.inc.php
并接收此打印的消息/错误。
Array ( [0] => Array ( [Database] => imgupload ) [1] => Array ( [Database] => information_schema ) [2] => Array ( [Database] => loginsystem ) [3] => Array ( [Database] => mysql ) [4] => Array ( [Database] => performance_schema ) [5] => Array ( [Database] => phpmyadmin ) [6] => Array ( [Database] => test ) )
我应该怎么做才能解决这个问题,以便我的登录有效?
解决方案
您的代码容易受到Html Elements Injection 和 session fixation 攻击。我已经实施strip_tags()
以防止 html 元素注入攻击,并且还实施session_regenerate_id();
以防止会话固定攻击。
同样,由于您已登录,您只需在验证用户名和密码后立即初始化会话。
至于我,我更喜欢使用 PDO 数组方法。无论如何,我提供了两个解决方案。我首先处理您的代码,然后对其进行适当的修改。确保数据库凭据正常
你的代码
<?php
//db connect starts
$db = new PDO (
'mysql:host=localhost;dbname=loginsystem;charset=utf8',
'root', // username
'' // password
);
//We then check if the user has clicked the login button
if (isset($_POST['submit'])) {
$name = $_POST['name'];
$password = $_POST['password'];
if ($name =='' && $password =='') {
header("Location: ../index.php?login=empty");
exit();
}
$stmt = $db->prepare("SELECT * FROM users WHERE user_name=:name");
$stmt->bindParam(':name', $name, PDO::PARAM_STR);
$stmt->execute();
$count = $stmt->rowCount();
if( $count == 1 ) {
$row = $stmt->fetch();
if(password_verify($password,$row['password'])){
echo "Password verified and ok";
// initialize session if things where ok.
session_start();
//Prevent session fixation attack
session_regenerate_id();
$_SESSION['u_id'] = $row['user_id'];
$_SESSION['u_name'] = $row['user_name'];
header("location: ../index.php?login=success");
exit();
}
else{
echo "Wrong Password details";
}
}
else {
echo "User does not exist";
}
}
?>
我的代码
<?php
//if (isset($_POST['submit'])) {
if ($_POST['name'] !='' && $_POST['password']) {
//connect
$db = new PDO (
'mysql:host=localhost;dbname=loginsystem;charset=utf8',
'root', // username
'' // password
);
$name = strip_tags($_POST['name']);
$password = strip_tags($_POST['password']);
if ($name == ''){
echo "Username is empty";
exit();
}
if ($password == ''){
echo "password is empty";
exit();
}
$result = $db->prepare('SELECT * FROM users where user_name = :name');
$result->execute(array(
':user_name' => $name));
$count = $result->rowCount();
if( $count == 1 ) {
$row = $result->fetch();
if(password_verify($password,$row['password'])){
echo "Password verified and ok";
// initialize session if things where ok.
session_start();
//Prevent session fixation attack
session_regenerate_id();
$_SESSION['u_id'] = $row['user_id'];
$_SESSION['u_name'] = $row['user_name'];
header("location: ../index.php?login=success");
exit();
}
else{
echo "Wrong Password details";
}
}
else {
echo "User does not exist";
}
}
?>
推荐阅读
- javascript - 从 HTML 结构中的 DIV 树中获取上层元素
- binary-search-tree - 使用数组的 bst 表示的优势
- python - 更改最接近 Numpy 数组中某个值的 n 个元素的符号
- magento-2.3 - 如何解决“我们发现有冲突的组件依赖项”。贝宝更新?
- java - elasticsearch后端离线时如何处理Hibernate Search启动
- r - 使用ggplot2的堆叠区域图的颜色问题
- angular - 表单显示有效,即使不满足所需的验证,“下一步”按钮也不会被禁用
- python - 从 git 存储库中的 requiremets.txt 文件安装包
- c# - C# 将 Double 从 DataGridView 转换为字符串
- angular - 如何在 *ngFor Angular 结构中将数据从父组件传递给子组件