Javascript 登录页面接受任何密码
我有一个基于xamp的Web服务器,我安装了考勤系统,我有10个用户注册,通过单独登录来输入他们的考勤。。。问题是在登录页面接受任何密码,并没有给出错误的密码是错误的。就像您输入用户id一样john@abcd.com&password gfjh其接受并进入索引页,原始密码为123456,但其接受您键入的所有内容。请告诉我怎么解决。应该说您输入了错误的密码,无法登录 代码如下:-Complete sign-in.phpJavascript 登录页面接受任何密码,javascript,php,html,server,Javascript,Php,Html,Server,我有一个基于xamp的Web服务器,我安装了考勤系统,我有10个用户注册,通过单独登录来输入他们的考勤。。。问题是在登录页面接受任何密码,并没有给出错误的密码是错误的。就像您输入用户id一样john@abcd.com&password gfjh其接受并进入索引页,原始密码为123456,但其接受您键入的所有内容。请告诉我怎么解决。应该说您输入了错误的密码,无法登录 代码如下:-Complete sign-in.php <?php // Check if install.php is pre
<?php
// Check if install.php is present
if(is_dir('install')) {
header("Location: install/install.php");
} else {
if(!isset($_SESSION)) session_start();
// Access DB Info
include('config.php');
// Get Settings Data
include ('includes/settings.php');
$set = mysqli_fetch_assoc($setRes);
// Include Functions
include('includes/functions.php');
// Include Sessions & Localizations
include('includes/sessions.php');
// Check if the User is all ready signed in
if ((isset($_SESSION['tz']['userId'])) && ($_SESSION['tz']['userId'] != '')) {
header('Location: index.php');
}
$msgBox = '';
$installUrl = $set['installUrl'];
$siteName = $set['siteName'];
$siteEmail = $set['siteEmail'];
// Account Log In
if (isset($_POST['submit']) && $_POST['submit'] == 'signIn') {
if($_POST['emailAddy'] == '') {
$msgBox = alertBox($accEmailReq, "<i class='fa fa-times-circle'></i>", "danger");
} else if($_POST['password'] == '') {
$msgBox = alertBox($accPassReq, "<i class='fa fa-times-circle'></i>", "danger");
} else {
$usrEmail = htmlspecialchars($_POST['emailAddy']);
$check = "SELECT userId, userFirst, userLast, isActive FROM users WHERE userEmail = '".$usrEmail."'";
$res = mysqli_query($mysqli, $check) or die('-1' . mysqli_error());
$row = mysqli_fetch_assoc($res);
$count = mysqli_num_rows($res);
if ($count > 0) {
// If the account is Active - Allow the login
if ($row['isActive'] == '1') {
$userEmail = htmlspecialchars($_POST['emailAddy']);
$password = encodeIt($_POST['password']);
if($stmt = $mysqli -> prepare("
SELECT
userId,
userEmail,
userFirst,
userLast,
location,
superUser,
isAdmin
FROM
users
WHERE
userEmail = ?
AND password = ?
")) {
$stmt -> bind_param("ss",
$userEmail,
$password
);
$stmt -> execute();
$stmt -> bind_result(
$userId,
$userEmail,
$userFirst,
$userLast,
$location,
$superUser,
$isAdmin
);
$stmt -> fetch();
$stmt -> close();
if (!empty($userId)) {
if(!isset($_SESSION))session_start();
$_SESSION['tz']['userId'] = $userId;
$_SESSION['tz']['userEmail'] = $userEmail;
$_SESSION['tz']['userFirst'] = $userFirst;
$_SESSION['tz']['userLast'] = $userLast;
$_SESSION['tz']['location'] = $location;
$_SESSION['tz']['superUser'] = $superUser;
$_SESSION['tz']['isAdmin'] = $isAdmin;
// Add Recent Activity
$activityType = '1';
$tz_uid = $userId;
$activityTitle = $userFirst.' '.$userLast.' '.$accSignInAct;
updateActivity($tz_uid,$activityType,$activityTitle);
// Update the Last Login Date for User
$sqlStmt = $mysqli->prepare("UPDATE users SET lastVisited = NOW() WHERE userId = ?");
$sqlStmt->bind_param('s', $userId);
$sqlStmt->execute();
$sqlStmt->close();
header('Location: index.php');
} else {
// Add Recent Activity
$activityType = '0';
$tz_uid = '0';
$activityTitle = $accSignInErrAct;
updateActivity($tz_uid,$activityType,$activityTitle);
$msgBox = alertBox($accSignInErrMsg, "<i class='fa fa-warning'></i>", "warning");
}
}
} else {
// Add Recent Activity
$activityType = '0';
$tz_uid = $row['userId'];
$activityTitle = $row['userFirst'].' '.$row['userLast'].' '.$signInUsrErrAct;
updateActivity($tz_uid,$activityType,$activityTitle);
// If the account is not active, show a message
$msgBox = alertBox($inactAccMsg, "<i class='fa fa-warning'></i>", "warning");
}
} else {
// Add Recent Activity
$activityType = '0';
$tz_uid = '0';
$activityTitle = $noAccSignInErrAct;
updateActivity($tz_uid,$activityType,$activityTitle);
// No account found
$msgBox = alertBox($noAccSignInErrMsg, "<i class='fa fa-times-circle'></i>", "danger");
}
}
}
// Reset Account Password
if (isset($_POST['submit']) && $_POST['submit'] == 'resetPass') {
// Validation
if ($_POST['accountEmail'] == "") {
$msgBox = alertBox($accEmailReq, "<i class='fa fa-times-circle'></i>", "danger");
} else {
$usrEmail = htmlspecialchars($_POST['accountEmail']);
$query = "SELECT userEmail FROM users WHERE userEmail = ?";
$stmt = $mysqli->prepare($query);
$stmt->bind_param("s",$usrEmail);
$stmt->execute();
$stmt->bind_result($emailUser);
$stmt->store_result();
$numrows = $stmt->num_rows();
if ($numrows == 1) {
// Generate a RANDOM Hash for a password
$randomPassword = uniqid(rand());
// Take the first 8 digits and use them as the password we intend to email the Employee
$emailPassword = substr($randomPassword, 0, 8);
// Encrypt $emailPassword for the database
$newpassword = encodeIt($emailPassword);
//update password in db
$updatesql = "UPDATE users SET password = ? WHERE userEmail = ?";
$update = $mysqli->prepare($updatesql);
$update->bind_param("ss",
$newpassword,
$usrEmail
);
$update->execute();
$qry = "SELECT userId, userFirst, userLast, isAdmin FROM users WHERE userEmail = '".$usrEmail."'";
$results = mysqli_query($mysqli, $qry) or die('-2' . mysqli_error());
$row = mysqli_fetch_assoc($results);
$theUser = $row['userId'];
$isAdmin = $row['isAdmin'];
$userName = $row['userFirst'].' '.$row['userLast'];
if ($isAdmin == '1') {
// Add Recent Activity
$activityType = '3';
$activityTitle = $userName.' '.$admPassResetAct;
updateActivity($theUser,$activityType,$activityTitle);
} else {
// Add Recent Activity
$activityType = '3';
$activityTitle = $userName.' '.$usrPassResetAct;
updateActivity($theUser,$activityType,$activityTitle);
}
$subject = $siteName.' '.$resetPassEmailSub;
$message = '<html><body>';
$message .= '<h3>'.$subject.'</h3>';
$message .= '<p>'.$resetPassEmail1.'</p>';
$message .= '<hr>';
$message .= '<p>'.$emailPassword.'</p>';
$message .= '<hr>';
$message .= '<p>'.$resetPassEmail2.'</p>';
$message .= '<p>'.$resetPassEmail3.' '.$installUrl.'sign-in.php</p>';
$message .= '<p>'.$emailTankYouTxt.'<br>'.$siteName.'</p>';
$message .= '</body></html>';
$headers = "From: ".$siteName." <".$siteEmail.">\r\n";
$headers .= "Reply-To: ".$siteEmail."\r\n";
$headers .= "MIME-Version: 1.0\r\n";
$headers .= "Content-Type: text/html; charset=UTF-8\r\n";
mail($usrEmail, $subject, $message, $headers);
$msgBox = alertBox($resetPassMsg1, "<i class='fa fa-check-square'></i>", "success");
$stmt->close();
} else {
// Add Recent Activity
$activityType = '1';
$tz_uid = '0';
$activityTitle = $resetPassMsgAct;
updateActivity($tz_uid,$activityType,$activityTitle);
// No account found
$msgBox = alertBox($resetPassMsg2, "<i class='fa fa-times-circle'></i>", "danger");
}
}
}
地点
$stmt->store_result()
在$stmt->execute()之后和之前的$stmt->bind_结果(..)
确保将$stmt->close()
放在所有条件的末尾
如果(!empty($userId)){…}
我添加了$stmt->store_result(),请检查您的$userId
返回的结果;$stmt->execute()之后;在$stmt->bind_result(..)之前;并确保在所有条件的末尾放置$stmt->close()。但所有用户都可以使用klklfjnbjfhg等每个密码登录,但原始密码是123456为什么要在用户
上选择第二个密码$row
应已包含所有信息,只需选择密码字段即可。我看到的第二件事是密码检查是基于if(!empty($userId))
的,而if(!empty($userId))又是基于。文档说如果绑定失败,bind\u result
将返回false(即没有返回行)。这不是决定登录或失败的if
吗?一般来说,我会将逻辑更改为只选择一次所有必需字段。然后(1)检查行数,(2)检查活动(3)编码和比较过程。。。如果上述任何一项失败,请设置一条消息并返回如果您要使用用户标题()
执行重定向,则应使用退出紧随其后。否则,您将毫无理由地执行页面的其余部分;$stmt->execute()之后;在$stmt->bind_result(..)之前;并确保在所有条件的末尾放置$stmt->close()。但所有用户都可以使用klklfjnbjfhg等每个密码登录,但原始密码是123456(你们能正确编辑整个代码并告诉我吗??)我不是开发人员:(