php不会指引我到';行动';页
我有两个页面(sigin.php,validateIn.php) 表单由用户在“登录”页面中提交,然后在“验证”页面中进行验证 问题是服务器没有将我重定向到“validateIn”页面,它只是重新加载当前页面“signin” 我已经在表单标签中包含了action属性 我尝试过使用php不会指引我到';行动';页,php,html,Php,Html,我有两个页面(sigin.php,validateIn.php) 表单由用户在“登录”页面中提交,然后在“验证”页面中进行验证 问题是服务器没有将我重定向到“validateIn”页面,它只是重新加载当前页面“signin” 我已经在表单标签中包含了action属性 我尝试过使用标题('Location:**.php)函数 这些对我都不管用 我已经包括了一些“echo”语句来了解编译器的路径 Signin.php 学生编号: 要将用户密码的哈希版本添加到数据库中,半伪代码可能是: &l
标题('Location:**.php)
函数
这些对我都不管用
我已经包括了一些“echo”语句来了解编译器的路径
Signin.php
学生编号:
要将用户密码的哈希版本添加到数据库中,半伪代码可能是:
<form method='post'>
<label>username:<input type='text' name='username' /></label>
<label>studentNumber:<input type='text' name='studentNumber' /></label>
<label>password:<input type='password' name='pass' /></label>
<input type='submit' />
</form>
<?php
if( $_SERVER['REQUEST_METHOD']=='POST' ){
$args=array(
'studentNumber' => FILTER_SANITIZE_STRING,
'username' => FILTER_SANITIZE_STRING,
'pass' => FILTER_SANITIZE_STRING
);
$_POST=filter_input_array( INPUT_POST, $args );
extract( $_POST );
$pwdhash=password_hash( $pass, PASSWORD_DEFAULT );
$sql='insert into `student` set `username`=? `student_number`=?, `password`=?';
$stmt=$db->prepare( $sql );
$stmt->bind_param('sss', $username, $studentNumber, $pwdhash );
$stmt->execute();
}
?>
关于表单和validateIn.php脚本中使用的逻辑-这对我来说似乎很好(删除了所有的db调用)-希望这一切都能证明有一些帮助,但我要说的是,您错误地认为安全性在项目中并不重要,因为这只是一个学校练习。。。。采用最佳实践永远不会太早。”——)
学生编号:
由于标签/strong标记的性质,您的html无效!空('name')&&!空('pass')
~这些常量是在别处定义的还是应该是$\u POST
变量?我从“登录”页面中删除了标记,但它仍然不起作用…不要使用md5
进行密码哈希,因为它不安全-使用密码哈希
和密码\u验证
代替您的sql很宽对sql注入攻击开放-使用prepared语句
而不是在sqlI中嵌入变量我尝试过这种方法,但也不起作用,问题是服务器不会将我指向“validateIn”页面,除非两个字段“studentNumber,password”为空,这意味着,如果它们不是空的,服务器只需重新加载当前页面“signin”\情况并非如此。要重定向回signin
页面,sql查询必须失败,因此标题('Location:signin.php')代码>被调用
<?php
if (isset($_POST['signin'])) { //if 1
echo "if number 1 <br>";
if(!empty($_POST['studentNumber']) && !empty($_POST['pass']) ){ //if 2
echo "if number 2";
$number = mysqli_real_escape_string($_POST['studentNumber']);
$pass = mysqli_real_escape_string(md5($_POST['pass']));
$sql = "SELECT * FROM students WHERE student_number=$number AND password=$pass";
$result = mysqli_query($$conn, $sql);
if (mysqli_num_rows($result) == 1) { //if 3
echo "if number 3";
header('Location:home.php');
} else { //else 1
echo "else number 1";
header('Location:signin.php');
}
}
}
else{
echo "else number 2";
}
<form method='post'>
<label>username:<input type='text' name='username' /></label>
<label>studentNumber:<input type='text' name='studentNumber' /></label>
<label>password:<input type='password' name='pass' /></label>
<input type='submit' />
</form>
<?php
if( $_SERVER['REQUEST_METHOD']=='POST' ){
$args=array(
'studentNumber' => FILTER_SANITIZE_STRING,
'username' => FILTER_SANITIZE_STRING,
'pass' => FILTER_SANITIZE_STRING
);
$_POST=filter_input_array( INPUT_POST, $args );
extract( $_POST );
$pwdhash=password_hash( $pass, PASSWORD_DEFAULT );
$sql='insert into `student` set `username`=? `student_number`=?, `password`=?';
$stmt=$db->prepare( $sql );
$stmt->bind_param('sss', $username, $studentNumber, $pwdhash );
$stmt->execute();
}
?>
<form action="validateIn.php" method="POST">
<label>
<strong>Student Number: </strong>
<input type="text" name="studentNumber" value="<?php echo isset( $_POST['studentNumber'] ) ? $_POST['studentNumber'] : '' ?>" />
</label>
<br />
<label>
<strong>Password:</strong>
<input type="password" name="pass" />
</label>
<br />
<input type="submit" value="Sign In" />
</form>
if( $_SERVER['REQUEST_METHOD']=='POST' ){
$args=array(
'studentNumber' => FILTER_SANITIZE_STRING,
'pass' => FILTER_SANITIZE_STRING
);
$_POST=filter_input_array( INPUT_POST, $args );
extract( $_POST );
if( isset( $studentNumber, $pass ) ){
$sql='select `password` from `student` where `student_number`=?';
$stmt=$db->prepare( $sql );
$stmt->bind_param( 's', $studentNumber );
$res=$stmt->execute();
if( $res ){
$stmt->store_result();
$stmt->bind_result( $pwdhash );
$stmt->fetch();
$stmt->free_result();
$stmt->close();
if( $pwdhash == password_verify( $pass, $pwdhash ) ){
/* ok - redirect accordingly */
}else{
/* bogus - */
}
}
}
}
<?php
if( $_SERVER['REQUEST_METHOD']=='POST' ){
/* POST to same page to emulate posting to validateIn.php */
if( isset( $_POST['signin'] ) ) {
echo "if number 1 <br>";
if( isset( $_POST['studentNumber'], $_POST['pass'] ) && !empty( $_POST['studentNumber'] ) && !empty( $_POST['pass'] ) ){
echo "if number 2";
} else {
echo 'Bogus - empty or missing fields';
}
} else{
echo "else number 2";
}
}
?>
<!DOCTYPE html>
<html lang='en'>
<head>
<meta charset='utf-8' />
<title></title>
</head>
<body>
<form method="POST">
<label>
<strong>Student Number: </strong>
<input type="text" name="studentNumber" value="<?php echo isset( $_POST['studentNumber'] ) ? $_POST['studentNumber'] : '' ?>" />
</label>
<br />
<label>
<strong>Password:</strong>
<input type="password" name="pass" />
</label>
<br />
<input type="submit" name='signin' value="Sign In" />
</form>
</body>
</html>