Php 为什么这个表达式的计算结果为true?
我正在制作php登录函数,我遇到了一个问题。在脚本的一部分中,我正在测试是否所有信息都插入到html表单中,该表单通过$u POST变量提供给脚本。在一个部分中,脚本正确地评估是否只输入用户名或密码,它正确地评估密码是否错误,但当我输入正确的用户/密码时,它会激活错误“未输入用户名和密码”。我想不出来。FLASE&&FALSE是否可能等于TRUE ---编辑---- 好的,我现在明白了,我应该在这个问题中包括所有相关的文件。因此,它们是: index.phpPhp 为什么这个表达式的计算结果为true?,php,mysql,Php,Mysql,我正在制作php登录函数,我遇到了一个问题。在脚本的一部分中,我正在测试是否所有信息都插入到html表单中,该表单通过$u POST变量提供给脚本。在一个部分中,脚本正确地评估是否只输入用户名或密码,它正确地评估密码是否错误,但当我输入正确的用户/密码时,它会激活错误“未输入用户名和密码”。我想不出来。FLASE&&FALSE是否可能等于TRUE ---编辑---- 好的,我现在明白了,我应该在这个问题中包括所有相关的文件。因此,它们是: index.php <?php session_s
<?php
session_start();
if (isset($_SESSION['login_message'])) {
$message = $_SESSION['login_message'];
unset($_SESSION['login_message']);
}
?>
<html>
<head>
<?php
require_once("include/head.php");
?>
</head>
<body>
<form action="auth/login.php" method="post">
<table>
<tr>
<td>
<img src="graphics/znak_hrz.png" alt="Znak HRZ" style="height: 200px; padding: 10px;">
</td>
<td>
<table style="padding: 10px;">
<tr>
<td><?php if (isset($message)) {echo "<td>" . $message . "</td>";}?></td>
</tr>
<tr>
<td>
<label for="username">Username:</label>
<input id="username" type="text" name="username" />
</td>
</tr>
<tr>
<td>
<label for="password">Password:</label>
<input id="password" type="password" name="password" />
</td>
</tr>
<tr>
<td style="text-align: center;">
<input type="submit" name="login" value="Login" />
</td>
</tr>
</table>
</td>
<td>
<img src="graphics/znak_eskadrile.png" alt="Znak eskadrile" style="height: 200px; padding: 10px;">
</td>
</tr>
</table>
</form>
</body>
</html>
用户名:
密码:
login.php
<?php
session_start();
// This script will deny access if following conditions are met in that order:
// - Username not entered
// - Password not entered
// - Username and password not entered
// - User doesn't exist in the database
// - User is deactivated in the database
// - The password is wrong
// Upon successful login, it will redirect user to secure/index.php and
// upon unsuccessful login it will return him to index.php for another try.
// If username is not set, set an error message
if (empty($_POST['username']) && !empty($_POST['password'])) {
$_SESSION['login_message'] = "Username missing";
}
// If password is not set, set an error message
if (empty($_POST['password']) && !empty($_POST['username'])) {
$_SESSION['login_message'] = "Password missing.";
}
//If username AND password are not set, set an error message
if (empty($_POST['username']) && empty($_POST['password'])) {
$_SESSION['login_message'] = "Username and password empty.";
}
// Check if the username exists in the database and if the password is correct
if (!isset($_SESSION['login_message']) && !empty($_POST['username']) && !empty($_POST['password'])) {
require_once("database.php");
// Sanitize incoming username and password
$username = filter_var($_POST['username'], FILTER_SANITIZE_STRING);
$password = filter_var($_POST['password'], FILTER_SANITIZE_STRING);
// Determine whether an account exists matching this username and password
$stmt = $auth_db->prepare("SELECT uid, pid, password, access_category, last_log, active FROM " . TBL_USERS . " WHERE username = ?");
// Bind the input parameters to the prepared statement
$stmt->bind_param('s', $username);
// Execute the query
$stmt->execute();
// Assign results of query to temporary variables
$stmt->bind_result($uid, $pid, $db_password, $access_category, $last_log, $active);
$stmt->fetch();
// If user doesn't exist in the database, deny login
if (!isset($uid)) {
$_SESSION['login_message'] = "User doesn't exist.";
}
// If user is deactivated, deny login
if (isset($uid) && !$active) {
$_SESSION['login_message'] = "User is deactivated.";
}
// If the password is wrong, deny login
if (isset($uid) && $active && $db_password != md5($password)) {
$_SESSION['login_message'] = "Wrong password.";
}
if (!isset($_SESSION['login_message'])) {
// Close previous statement
$stmt->close();
// Update the account's last_login column
$stmt = $auth_db->prepare("UPDATE " . TBL_USERS . " SET last_log = NOW() WHERE username = ?");
var_dump($stmt);
$stmt->bind_param('s', $username);
$stmt->execute();
// Set session variable
$_SESSION['username'] = $username;
$_SESSION['uid'] = $uid;
$_SESSION['pid'] = $pid;
$_SESSION['last_log'] = $last_log;
$_SESSION['active'] = $active;
$_SESSION['access_category'] = $access_category;
}
}
if (!isset($_SESSION['login_message'])) {
header('Location: ../secure/index.php');
} else if (isset($_SESSION['login_message'])) {
header('Location: ../index.php');
}
?>
问题是login.php脚本执行了两次,因为secure/index.php中的第三行是我正在试验的另一个登录系统的剩余行。第二次调用脚本时,它没有$\u POST数据,因此没有用户名和密码,因此相应的条件被激活
提醒我,当我遇到问题时,最好将我的视野扩展到其他文件。因为查询可能与值匹配,所以返回true,这就是编程的工作方式……您似乎没有清除$\u会话['login\u message']侧注:如果这是用于实时工作站点,我建议您停止使用MD5作为密码存储方法;这是旧的(大约1992年),被认为是坏的。使用或PHP5.5的函数。对于PHP<5.5,也从安全的角度考虑,对于不存在UserId和用户存在但密码错误的情况,应该考虑返回完全相同的错误消息。如果恶意用户试图侵入您的系统,让键盘上的人知道只会给他们提供更多信息。他们可以整天尝试用户名并发现哪些用户名是有效的,例如,Darhazer,我清除了另一个文件index.php中的$_会话['login_message']。这是login.php,由index.php上的表单调用。很好,但已经检查过了。
<?php
session_start();
require_once("../auth/login.php");
?>
<html>
<head>
<?php
#if($_SESSION['access_category'] == '0') {
# header('Location: eth93sl/');
#}
?>
</head>
<body>
<?php
echo "uid:" . $_SESSION['uid'] . "<BR>";
echo "username: " . $_SESSION['username'] . "<BR>";
echo "active: " . $_SESSION['active'] . "<BR>";
echo "last_log: " . $_SESSION['last_log'] . "<BR>";
echo "access_category: " . $_SESSION['access_category'] . "<BR>";
?>
</body>
</html>