Php 无法验证是否正确?为什么?PDO新手
当我有一个空字段或用户名错误或不匹配时,我似乎无法正确验证。请任何帮助或指点我都会很有帮助。我试过了(空的,但当我填写一个字段而另一个字段为空时,它似乎不起作用。它表示所有字段都为空。对于错误的凭证,它根本不起作用 INDEX.PHPPhp 无法验证是否正确?为什么?PDO新手,php,validation,oop,pdo,Php,Validation,Oop,Pdo,当我有一个空字段或用户名错误或不匹配时,我似乎无法正确验证。请任何帮助或指点我都会很有帮助。我试过了(空的,但当我填写一个字段而另一个字段为空时,它似乎不起作用。它表示所有字段都为空。对于错误的凭证,它根本不起作用 INDEX.PHP <?php session_start(); include_once 'php/classes/class.user.php'; $user = new User(); $log = $_SESSION['uid']; if ($user->ge
<?php
session_start();
include_once 'php/classes/class.user.php';
$user = new User();
$log = $_SESSION['uid'];
if ($user->get_session($log)){
header("Location: profile.php?uid=".$log."");
}
if (isset($_REQUEST['submit'])) {
extract($_REQUEST);
$login = $user->check_login($emailusername, $password);
if(!empty($login)){
if($emailusername != $login){
if($password != $login){
if ($login) {
// Registration Success
$log_id = $_SESSION['uid'];
header("location: profile.php?uid=".$log_id."");
}
}else
echo "Incorrect Password";
}else
echo "Incorrect Email";
}else
echo "Fill in fields";
}
?>
<?php
include "db_config.php";
class User{
public $db;
public function __construct(){
$this->db = new mysqli(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_DATABASE);
if(mysqli_connect_errno()) {
echo "Error: Could not connect to database.";
exit;
}
}
/*** for login process ***/
public function check_login($emailusername, $password){
$password = md5($password);
$sql2="SELECT uid from users WHERE uemail='$emailusername' or uname='$emailusername' and upass='$password'";
//checking if the username is available in the table
$result = mysqli_query($this->db,$sql2);
$user_data = mysqli_fetch_array($result);
$count_row = $result->num_rows;
if ($count_row == 1) {
// this login var will use for the session thing
session_start();
$emaildb == $_SESSION['uemail'];
$_SESSION['login'] = true;
$_SESSION['uid'] = $user_data['uid'];
return true;
}
else{
return false;
}
}
/*** for showing the username or fullname ***/
public function get_fullname($uid){
$sql = "SELECT * FROM users WHERE uid = $uid";
$result = mysqli_query($this->db, $sql);
$user_data = mysqli_fetch_array($result);
echo $user_data['fullname'], "<br/>";
echo $user_data['uemail'], "<br/>";
echo $user_data['uid'], "<br/>";
}
public function check_user($uid){
$sql5 = "SELECT * from users WHERE uid='$uid'";
$result1 = mysqli_query($this->db, $sql5);
$count_row1 = $result1->num_rows;
return ($count_row1 == 1);
}
/*** starting the session ***/
public function get_session(){
return $_SESSION['login'];
}
public function user_logout() {
$_SESSION['login'] = FALSE;
session_destroy();
}
}
USERS.PHP
<?php
session_start();
include_once 'php/classes/class.user.php';
$user = new User();
$log = $_SESSION['uid'];
if ($user->get_session($log)){
header("Location: profile.php?uid=".$log."");
}
if (isset($_REQUEST['submit'])) {
extract($_REQUEST);
$login = $user->check_login($emailusername, $password);
if(!empty($login)){
if($emailusername != $login){
if($password != $login){
if ($login) {
// Registration Success
$log_id = $_SESSION['uid'];
header("location: profile.php?uid=".$log_id."");
}
}else
echo "Incorrect Password";
}else
echo "Incorrect Email";
}else
echo "Fill in fields";
}
?>
<?php
include "db_config.php";
class User{
public $db;
public function __construct(){
$this->db = new mysqli(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_DATABASE);
if(mysqli_connect_errno()) {
echo "Error: Could not connect to database.";
exit;
}
}
/*** for login process ***/
public function check_login($emailusername, $password){
$password = md5($password);
$sql2="SELECT uid from users WHERE uemail='$emailusername' or uname='$emailusername' and upass='$password'";
//checking if the username is available in the table
$result = mysqli_query($this->db,$sql2);
$user_data = mysqli_fetch_array($result);
$count_row = $result->num_rows;
if ($count_row == 1) {
// this login var will use for the session thing
session_start();
$emaildb == $_SESSION['uemail'];
$_SESSION['login'] = true;
$_SESSION['uid'] = $user_data['uid'];
return true;
}
else{
return false;
}
}
/*** for showing the username or fullname ***/
public function get_fullname($uid){
$sql = "SELECT * FROM users WHERE uid = $uid";
$result = mysqli_query($this->db, $sql);
$user_data = mysqli_fetch_array($result);
echo $user_data['fullname'], "<br/>";
echo $user_data['uemail'], "<br/>";
echo $user_data['uid'], "<br/>";
}
public function check_user($uid){
$sql5 = "SELECT * from users WHERE uid='$uid'";
$result1 = mysqli_query($this->db, $sql5);
$count_row1 = $result1->num_rows;
return ($count_row1 == 1);
}
/*** starting the session ***/
public function get_session(){
return $_SESSION['login'];
}
public function user_logout() {
$_SESSION['login'] = FALSE;
session_destroy();
}
}
$login
是一个布尔变量,而$emailusername
和$password
是字符串,为什么要比较它们呢。根据您拥有的,这是您需要的
session_start();
include_once 'php/classes/class.user.php';
$user = new User();
// You need a conditional incase this session isn't set
$log = (isset($_SESSION['uid']))? $_SESSION['uid']:false;
if($log !== false && $user->get_session($log)){
header("Location: profile.php?uid=".$log."");
exit;
}
if(isset($_POST['submit'])) {
// This function should be validating your login so you don't need
// any comparisons after the fact.
$login = $user->check_login($_POST['email'], $_POST['password']);
if($login !== false)
header("location: profile.php?uid=".$log_id."");
exit;
else {
foreach($user->error as $kind => $err) {
echo '<h2>'.$kind.'</h2>'.'<p>'.$err.'</p>';
}
}
}
session_start();
包括“php/classes/class.user.php”;
$user=新用户();
//如果未设置此会话,则需要一个条件
$log=(isset($\u SESSION['uid'])?$\u SESSION['uid']:false;
如果($log!==false&&$user->get_会话($log)){
标题(“位置:profile.php?uid=“.log.”);
出口
}
如果(isset($_POST['submit'])){
//此函数应验证您的登录,因此您不需要
//事后的任何比较。
$login=$user->check_-login($_-POST['email'],$_-POST['password']);
如果($login!==false)
标题(“位置:profile.php?uid=“.log_id.”);
出口
否则{
foreach($user->error as$kind=>$err){
回显“.$kind.”.“.$err.””;
}
}
}
您的用户类:如果愿意,您可以将错误报告放入此类中
class User{
public $db;
public $error;
public function __construct(){
$this->db = new mysqli(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_DATABASE);
if(mysqli_connect_errno()) {
$this->error['db'] = "Error: Could not connect to database.";
echo $this->error['db'];
exit;
}
}
/*** for login process ***/
public function check_login($emailusername='', $password=''){
// Validate that your email is a real one
if(filter_var($emailusername,FILTER_VALIDATE_EMAIL) !== false) {
$password = md5($password);
// --> You can prepare, bind, and execute your values here replacing what you have now....<--
$sql2 = "SELECT uid from users WHERE uemail='$emailusername' or uname='$emailusername' and upass='$password'";
//checking if the username is available in the table
$result = mysqli_query($this->db,$sql2);
$user_data = mysqli_fetch_array($result);
$count_row = $result->num_rows;
if ($count_row == 1) {
$emaildb == $_SESSION['uemail'];
// this login var will use for the session thing
$_SESSION['username'] = $user_data['uemail'];
// $_SESSION['uemail'] = $user_data['uemail'];
$_SESSION['uid'] = $user_data['uid'];
$_SESSION['login'] = true;
}
else
$this->error['account'] = 'ERROR: Invalid Username/Password';
}
else
$this->error['email'] = 'ERROR: Invalid Email Address';
return (!isset($_SESSION['uemail']))? false:true;
}
/*** for showing the username or fullname ***/
public function get_fullname($uid){
// --> You can prepare, bind, and execute your values here replacing what you have now....<--
$sql = "SELECT * FROM users WHERE uid = $uid";
$result = mysqli_query($this->db, $sql);
$user_data = mysqli_fetch_array($result);
echo $user_data['fullname'], "<br/>";
echo $user_data['uemail'], "<br/>";
echo $user_data['uid'], "<br/>";
}
public function check_user($uid){
// --> You can prepare, bind, and execute your values here replacing what you have now....<--
$sql5 = "SELECT * from users WHERE uid='$uid'";
$result1 = mysqli_query($this->db, $sql5);
$count_row1 = $result1->num_rows;
return ($count_row1 == 1);
}
/*** starting the session ***/
public function get_session(){
return $_SESSION['login'];
}
public function user_logout() {
$_SESSION['login'] = FALSE;
session_destroy();
}
}
类用户{
公帑$db;
公共错误;
公共函数构造(){
$this->db=newmysqli(db\u服务器、db\u用户名、db\u密码、db\u数据库);
if(mysqli\u connect\u errno()){
$this->error['db']=“错误:无法连接到数据库。”;
echo$this->错误['db'];
出口
}
}
/***用于登录过程***/
公共函数检查\u登录($emailusername='',$password=''){
//验证您的电子邮件是否真实
if(filter\u var($emailusername,filter\u VALIDATE\u EMAIL)!==false){
$password=md5($password);
//-->您可以在此处准备、绑定和执行您的值,以替换现有值….db,$sql2);
$user\u data=mysqli\u fetch\u数组($result);
$count\u row=$result->num\u rows;
如果($count_row==1){
$emaildb==$\会话['uemail'];
//这个登录变量将用于会话
$_会话['username']=$user_数据['uemail'];
//$_会话['uemail']=$user_数据['uemail'];
$\u会话['uid']=$user\u数据['uid'];
$\u会话['login']=true;
}
其他的
$this->error['account']=“error:无效的用户名/密码”;
}
其他的
$this->error['email']=“error:无效的电子邮件地址”;
返回(!isset($_会话['uemail'])?false:true;
}
/***用于显示用户名或全名***/
公共函数get_fullname($uid){
//-->您可以在此处准备、绑定和执行您的值,以替换现有值….db,$sql);
$user\u data=mysqli\u fetch\u数组($result);
echo$user_data['fullname'],“
”;
echo$user_data['uemail'],“
”;
echo$user_data['uid'],“
”;
}
公共功能检查用户($uid){
//-->您可以在此处准备、绑定和执行您的值,以替换现有值….db,$sql5);
$count_row1=$result1->num_rows;
返回($count_row1==1);
}
/***开始会话***/
公共函数get_session(){
返回$_会话['login'];
}
公用函数用户_注销(){
$\u会话['login']=FALSE;
会话_destroy();
}
}
3、2、1中的SQL注入。。请使用PDO准备的声明。另外:在$\u REQUEST,$\u GET等上使用extract()打开巨大的安全漏洞非常容易。您必须真正确定自己在做什么,并在extract()上使用适当的标志以避免重击重要变量。我相信有人会提到这一点,但是您不是通过PDO
连接,而是使用mysqli
连接。您的连接将是new PDO(连接,凭证,用户,通行证)
而不是new mysqli(连接,凭证,用户,通行证)
,尽管如此,正如@Bjorn所提到的,无论连接如何,您都应该确保您的语句已准备就绪。extract($\u请求)代码>不要这样做。只是不o@rjdown为什么不呢?请解释一下。我不熟悉这一点,也不知道如何修改extract()
的手册。它警告:警告不要对不受信任的数据使用extract()。这将被视为不受信任的数据…这是一个解决方案。我是新来的;不行。更糟的是,给了我很多错误什么错误哪行?错误是可以的,您需要有一个可靠的登录机制,这样错误才能帮助您修复错误。另外,需要注意的是,我从您的登录中删除了几行没有意义的代码,因此如果您在$\u会话['login']
中遇到错误,只需将其添加回客户端登录即可验证是否存在正确的电子邮件才能继续。您是否100%使用电子邮件地址作为用户名?我在分配会话时在您的check\u login
中添加了几行。复制那部分。看看这对你的错误是否有帮助