时间戳

首页 > 解决方案 > PDO 读取数据库,但不登录系统

php - PDO 读取数据库,但不登录系统

问题描述

我目前有一个登录系统,我想将其从 Mysqli 转换为 PDO。

我目前有一个带有 phpMyAdmin/MySQL 附加数据库的网站。

我尝试转换所有内容,现在我将向您展示系统的 LOGIN.php 部分,因为我还没有触及注册部分。

这就是我所拥有的。

LOGIN.INC.PHP

    <?php

require_once 'dbh.inc.php';

try {
    $handler = new PDO("mysql:host=$servername;dbname=$dbname",
    $username,
    $password,
    array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION));
  } catch(PDOException $e){
    echo $e->getName();
    die();
  }

//first we start a session
session_start();

//We then check if the user has clicked the login button
if (isset($_POST['submit'])) {

    //Then we require the database connection
    //require_once 'dbh.inc.php';
    //And we get the data from the login form
    $name = $_POST['name'];
    $password = $_POST['password'];

    //Error handlers
    //Error handlers are important to avoid any mistakes the user might have made when filling out the form!
    //Check if inputs are empty
    if (empty($name) || empty($password)) {
        header("Location: ../index.php?login=empty");
        exit();
    }   
    } else {
        $stmt = $db->prepare("SELECT * FROM users WHERE user_name=:name");
        $stmt->bindParam(':name', $name, PDO::PARAM_STR);

        if ($stmt->execute()) {
            header("location: ../index.php?login=error");
            exit();
        } else { 
            if ($row = $stmt->fetch(PDO::FETCH_ASSOC)) {
            //de-hashing the password
            $hashedpasswordCheck = password_verify($password, $row['user_password']);
            if ($hashedpasswordCheck == false) {
              header("location: ../index.php?login=error");
              exit();

            } elseif ($hashedpasswordCheck == true) {
                //Log in the user here
                $_SESSION['u_id'] = $row['user_id'];
                $_SESSION['u_name'] = $row['user_name'];
                header("location: ../index.php?login=success");
                exit();
              }
            } else {
                header("location: ../index.php?login=error");
                exit();
              }     
        }  
      }

DBH.INC.PHP

    <?php

$servername = "localhost";
$username = "root";
$password = "";
$dbname = "loginsystem";


try {
    $conn = new PDO("mysql:host=$servername;dbname=$dbname",
    $username,
    $password,
    array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION));

    $stmt = $conn->prepare("SHOW DATABASES;");

    $stmt->execute();
    $stmt->setFetchMode(PDO::FETCH_ASSOC);
    $result = $stmt->fetchAll();
    print_r($result);


}
catch(PDOException $e) {
    echo $e->getMessage();
}

$conn = null;

当我尝试登录时,我被重定向到此 url:

http://localhost/php44/includes/login.inc.php

并接收此打印的消息/错误。

Array ( [0] => Array ( [Database] => imgupload ) [1] => Array ( [Database] => information_schema ) [2] => Array ( [Database] => loginsystem ) [3] => Array ( [Database] => mysql ) [4] => Array ( [Database] => performance_schema ) [5] => Array ( [Database] => phpmyadmin ) [6] => Array ( [Database] => test ) )

我应该怎么做才能解决这个问题,以便我的登录有效?

标签: phphtmlcssmysqlpdo

解决方案

您的代码容易受到Html Elements Injection 和 session fixation 攻击。我已经实施strip_tags()以防止 html 元素注入攻击,并且还实施session_regenerate_id();以防止会话固定攻击。

同样,由于您已登录,您只需在验证用户名和密码后立即初始化会话。

至于我,我更喜欢使用 PDO 数组方法。无论如何,我提供了两个解决方案。我首先处理您的代码,然后对其进行适当的修改。确保数据库凭据正常

你的代码

<?php

//db connect starts
$db = new PDO (
    'mysql:host=localhost;dbname=loginsystem;charset=utf8', 
    'root', // username

    '' // password
);



//We then check if the user has clicked the login button
if (isset($_POST['submit'])) {
    $name = $_POST['name'];
    $password = $_POST['password'];

    if ($name =='' && $password =='') {
        header("Location: ../index.php?login=empty");
        exit();
    } 


        $stmt = $db->prepare("SELECT * FROM users WHERE user_name=:name");
        $stmt->bindParam(':name', $name, PDO::PARAM_STR);
        $stmt->execute();

$count = $stmt->rowCount();
if( $count == 1 ) {
$row = $stmt->fetch();
if(password_verify($password,$row['password'])){
            echo "Password verified and ok";

// initialize session if things where ok.
session_start();

//Prevent session fixation attack
session_regenerate_id();

$_SESSION['u_id'] = $row['user_id'];
$_SESSION['u_name'] = $row['user_name'];
header("location: ../index.php?login=success");
exit();


        }
        else{
            echo "Wrong Password details";
        }
}
else {

echo "User does not exist";
}
}
?>

我的代码

<?php

//if (isset($_POST['submit'])) {
if ($_POST['name'] !='' && $_POST['password']) {

//connect 
$db = new PDO (
    'mysql:host=localhost;dbname=loginsystem;charset=utf8', 
    'root', // username

    '' // password
);

$name = strip_tags($_POST['name']);
$password = strip_tags($_POST['password']);

if ($name == ''){
echo "Username is empty";
exit();
}
if ($password == ''){
echo "password is empty";
exit();
}

$result = $db->prepare('SELECT * FROM users where user_name = :name');
        $result->execute(array(
            ':user_name' => $name));
$count = $result->rowCount();
if( $count == 1 ) {
$row = $result->fetch();

  if(password_verify($password,$row['password'])){
            echo "Password verified and ok";

// initialize session if things where ok.
session_start();

//Prevent session fixation attack
session_regenerate_id();

$_SESSION['u_id'] = $row['user_id'];
$_SESSION['u_name'] = $row['user_name'];
header("location: ../index.php?login=success");
exit();


        }
        else{
            echo "Wrong Password details";
        }
}
else {

echo "User does not exist";
}

}

?>

推荐阅读