php登录脚本-记住我 [英] php login script - remember me
问题描述
谁能看出这个登录脚本有什么问题:
Can anyone see anything wrong with this login script:
public function login($username, $pass, $remember) {
// check username and password with db
// else throw exception
$connect = new connect();
$conn = $connect->login_connect();
// check username and password
$result = $conn->query("select * from login where
username='".$username."' and
password=sha1('".$pass."')");
if (!$result) {
throw new depException('Incorrect username and password combination. Please try again.');
} else {
echo $username, $pass;
}
解释:
目前脚本允许任何事情通过.换句话说,对于传递给它的任何用户名和密码,查询都返回 true.我已经把 echo 语句作为检查 - 显然脚本会在正常情况下继续!
At the moment the script is allowing anything through. In other words the query is returning true for any username and password that are passed to it. I've put the echo statement just as a check - obviously the script would continue in normal circumstances!
我知道连接类和 login_connect 方法正在运行,因为我在运行良好的注册脚本中使用它们.depException 只是 Exception 类的扩展.
函数 login() 是包含 register() 的同一个类的一部分,该类工作正常.
我知道这两个变量($username 和 $pass)正在进入函数,因为 echo 语句正在准确地输出它们.(脚本的这一部分不需要 $remember 变量.它稍后用于记住我的过程).
我难住了.请帮忙!
I know that the connect class and login_connect method are working because I use them in a register script that is working fine. depException is just an extension of the Exception class.
The function login() is part of the same class that contains register() that is working fine.
I know that the two variables ($username and $pass) are getting to the function because the echo statement is outputting them accurately. (The $remember variable is not needed for this part of the script. It is used later for a remember me process).
I'm stumped. Please help!
感谢您的回复.我对查询返回的内容感到困惑.完整的脚本会检查返回的行数,这是应该进行检查的地方.现在一切正常,除了我的记住我功能.也许有人可以帮助解决这个问题?!?!这是完整的脚本:
Thanks for those responses. I was getting confused with what the query was returning. The complete script does check for how many rows are returned and this is where the checking should have been done. Everything is now working EXCEPT for my remember me function. Perhaps someone could help with that?!?! Here is the full script:
public function login($username, $pass, $remember) {
// check username and password with db
// else throw exception
$connect = new connect();
$conn = $connect->login_connect();
// check username and password
$result = $conn->query("select * from login where
username='".$username."' and
password=sha1('".$pass."')");
if (!$result) {
throw new depException('Incorrect username and password combination. Please try again.');
}
if ($result->num_rows>0) {
$row = $result->fetch_assoc();
//assign id to session
$_SESSION['user_id'] = $row[user_id];
// assign username as a session variable
$_SESSION['username'] = $username;
// start rememberMe
$cookie_name = 'db_auth';
$cookie_time = (3600 * 24 * 30);*/ // 30 days
// check to see if user checked box
if ($remember) {
setcookie ($cookie_name, 'username='.$username, time()+$cookie_time);
}
// If all goes well redirect user to their homepage.
header('Location: http://localhost/v6/home/index.php');
} else {
throw new depException('Could not log you in.);
}
}
非常感谢您的帮助.
更新 2!
感谢您的帮助,我已经完成了这个脚本的主要部分.但是,最后的记住我仍然不想工作.有人可以帮我解决一下吗?$username, $pass 和 $remember 都是我在将它们传递给函数之前分配的短变量名,以节省每次写入 $_POST['username'] 等.$remember 指的是一个复选框.
Thanks to your help I've got the main part of this script working. However, the remember me bit at the end still doesn't want to work. Could someone give me a hand to sort it out? $username, $pass and $remember are all short variable names that I assigned before passing them to the function to save writing $_POST['username'] etc. everytime. $remember refers to a checkbox.
推荐答案
$conn->query() 返回什么,一个 MySQL 资源对象,如 mysql_query() 呢?如果是这样,那么它总是会比较真".mysql_query() 仅在查询完全失败时返回 FALSE,比如它有语法错误或表不存在.
What does $conn->query() return, a MySQL resource object like mysql_query() does? If so then it'll always compare "true". mysql_query() only returns FALSE if the query completely fails, like it has a syntax error or a table doesn't exist.
要检查是否有任何结果,您需要尝试从结果集中获取一行,然后通过与 mysql_fetch_row() 是.
To check if you got any results you need to try to fetch a row from the result set and see if you get anything, via whatever your equivalent of mysql_fetch_row() is.
重要提示:您的脚本容易受到SQL 注入攻击,甚至只是像 o'neil 这样带有撇号的奇怪用户名.您应该使用 转义查询中的所有变量mysql_real_escape_string()(或等效的)以确保您的查询不会被特殊字符弄乱.或者,更好的是,使用看起来像
Important: Your script is vulnerable to SQL injection attacks, or even just odd usernames like o'neil with an apostrophe. You should escape all variables in a query with mysql_real_escape_string() (or equivalent) to make sure your query doesn't get messed up by special characters. Or, even better, use prepared statements which look like
select * from login where username=? and password=sha1(?)
<小时>
回复:更新
表单中的变量可通过 $_GET 或 $_POST 获得,具体取决于提交表单的方法.尝试 if (isset($_POST['remember'])) 以查看是否选中了该复选框.
Variables from a form are available via either $_GET or $_POST, depending on which method was used to submit the form. Try if (isset($_POST['remember'])) to see if that check box was checked.
重要提示:我看到您尝试使用一个空的 $remember 来查看复选框是否被选中.这向我表明您正在尝试利用 register_globals 功能,它使您的 GET 和 POST 变量可以通过常规变量名称访问.如果是这种情况,您应该注意 PHP 手册中的警告!
Important: I see that you tried to use a bare $remember to see if the check box was checked. That suggests to me that you are trying to take advantage of the register_globals feature in PHP which makes your GET and POST variables accessible via regular variable names. If that is the case you should heed the warning in the PHP manual!
[register_globals] 自 PHP 5.3.0 起已弃用,自 PHP 6.0.0 起已移除.强烈建议不要依赖此功能.
WARNING
[
register_globals] has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 6.0.0. Relying on this feature is highly discouraged.
使用 $_GET 和 $_POST 代替.我可以告诉你如何让 if ($remember) 工作,实际上,但鉴于 register_globals 固有的邪恶,我不会!;-)
Use $_GET and $_POST instead. I could tell you how to make if ($remember) work, actually, but given the inherent evil-ness of register_globals I'm not gonna! ;-)
这篇关于php登录脚本-记住我的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
