Php 注册未验证密码的用户脚本
好的,我的用户注册脚本有点问题,出于某种原因,它没有检查表单字段pass1和pass2是否相同,尽管它在代码中,有什么想法吗?我将把注册代码完整地放在下面,供您审阅。我对PHP非常陌生,因此非常感谢您的任何建议,谢谢您的帮助。:-) 注册脚本Php 注册未验证密码的用户脚本,php,mysql,Php,Mysql,好的,我的用户注册脚本有点问题,出于某种原因,它没有检查表单字段pass1和pass2是否相同,尽管它在代码中,有什么想法吗?我将把注册代码完整地放在下面,供您审阅。我对PHP非常陌生,因此非常感谢您的任何建议,谢谢您的帮助。:-) 注册脚本 <?php ob_start(); // Start output buffering function isLoggedIn() { if(isset($_SESSION['valid']) && $_SESSION['v
<?php
ob_start(); // Start output buffering
function isLoggedIn()
{
if(isset($_SESSION['valid']) && $_SESSION['valid'])
return true;
return false;
}
session_start();
//if the user has not logged in
if(!isLoggedIn())
{
header('Location: ../index.php');
die();
}
?>
<?php require_once('../Connections/PropSuite.php'); ?>
<?php
error_reporting(E_ALL & ~E_NOTICE);
ini_set('display_errors', TRUE);
ini_set('display_startup_errors', TRUE);
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
{
if (PHP_VERSION < 6) {
$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
}
$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);
switch ($theType) {
case "text":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "long":
case "int":
$theValue = ($theValue != "") ? intval($theValue) : "NULL";
break;
case "double":
$theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
break;
case "date":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "defined":
$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
break;
}
return $theValue;
}
}
$colname_user = "-1";
if (isset($_SESSION['username'])) {
$colname_user = $_SESSION['username'];
}
mysql_select_db($database_Takeaway, $Takeaway);
$query_user = sprintf("SELECT type FROM admin_users WHERE username = %s", GetSQLValueString($colname_user, "text"));
$user = mysql_query($query_user, $Takeaway) or die(mysql_error());
$row_user = mysql_fetch_assoc($user);
$totalRows_user = mysql_num_rows($user);
// Username available.
//form begins
$user_type = $row_user['type'];
if ($user_type === 'admin-full')
{
//retrieve our data from POST
$name = $_POST['name'];
$username = $_POST['username'];
$email = $_POST['email'];
$pass1 = $_POST['pass1'];
$pass2 = $_POST['pass2'];
if($pass1 != $pass2)
header('Location: register-admin.php?pw=notmatched');
if(strlen($username) > 30)
header('Location: register-admin.php?username=toolong');
if(strlen($name) > 40)
header('Location: register-admin.php?name=toolong');
$hash = hash('sha256', $pass1);
//creates a 3 character sequence
function createSalt()
{
$string = md5(uniqid(rand(), true));
return substr($string, 0, 3);
}
$salt = createSalt();
$hash = hash('sha256', $salt . $hash);
mysql_select_db($database_Takeaway, $Takeaway);
//sanitize username
$username = mysql_real_escape_string($username);
$q = "SELECT id, username FROM admin_users WHERE username = '$username'";
$results = @mysql_query($q);
if(mysql_num_rows($results) > 0)
{
// Username exists.
header('Location: register-admin.php?username-taken');
}
else
{
$query = "INSERT INTO admin_users ( type, email, name, username, password, salt )
VALUES ( 'admin-full', '$email', '$name', '$username' , '$hash' , '$salt' );";
mysql_query($query);
mysql_close();
header('Location: ../main?NewUserAdded');
}
mysql_free_result($user);
}
else {
?>
You are not authorised to do that!
<?php } ?>
放一个die()代码>在标题之后('位置:register admin.php?pw=notmatched')因为脚本将继续以其他方式执行,并设置您拥有的任何其他头
像这样:
if($pass1 != $pass2) {
header('Location: register-admin.php?pw=notmatched');
die();
}
if(strlen($username) > 30) {
header('Location: register-admin.php?username=toolong');
die();
}
if(strlen($name) > 40) {
header('Location: register-admin.php?name=toolong');
die();
}
似乎您希望用户名值在查询数据库以获取用户信息时处于会话中。我不明白如果你只是发布一个表单,用户名在会话中会是什么样子。你的条件
if ($user_type === 'admin-full')
似乎它永远不会计算为真,因为您还没有从post数组中提取用户名并对其进行计算
注意,您还应该使用mysqli
或PDO
而不是mysql.*
函数,因为这些函数在PHP中已被弃用。Hi,是的,这是一个管理员用户添加另一个管理员用户,因此我需要只向拥有完整管理员帐户的人授予访问该页面的权限,该GetSQLValueString
功能绝对可怕。除了混淆你的不计后果的漠视之外,这还有什么作用?
if ($user_type === 'admin-full')