Php 此CodeIgniter登录脚本存在严重问题
人们甚至可以使用其他用户的密码登录。我不知道我做错了什么Php 此CodeIgniter登录脚本存在严重问题,php,codeigniter,Php,Codeigniter,人们甚至可以使用其他用户的密码登录。我不知道我做错了什么 function login() { $this->form_validation->set_rules('username','Username','trim|xss_clean|required|callback_login_user_check'); $this->form_validation->set_rules('password','Password','trim|xss_clean|
function login()
{
$this->form_validation->set_rules('username','Username','trim|xss_clean|required|callback_login_user_check');
$this->form_validation->set_rules('password','Password','trim|xss_clean|required|min_length[4]|max_length[20]|callback_password_check|sha1');
$this->_username = $this->input->post('username');
$this->_password = $this->_salt.sha1($this->input->post('password'));
if($this->form_validation->run() == FALSE)
{
$toView['title']= 'Please login';
$this->build_content($toView);
$this->render_page();
}
else
{
$this->account_model->login();
//$data['message'] = "You are logged in! Now go to ". anchor("members/dashboard","Dashboard");
redirect('members/dashboard');
}
}
//---------------------------------------------------------------------------------------------------------------------------
// password CHECKING
function password_check(){
$this->db->where('username', $this->_username);
$this->db->where('password', $this->_password);
$query = $this->db->get('users');
$result = $query->row_array();
if ($query->num_rows() == 0)
{
$this->form_validation->set_message('password_check','There was an error! ');
return FALSE;
}
if($result['password'] == $this->_password)
{
return TRUE;
}
}
function login_user_check($user)
{
$query = $this->db->get_where('users', array('username'=>$user));
if(!$query->num_rows()>0)
{
$this->form_validation->set_message('login_user_check', 'The %s does not exists in our database');
return FALSE;
}
if($query->num_rows() > 0)
{
foreach($query->result_array() as $row)
{
//$data[$row['id']] = $row['name'];
$this->session->set_userdata('user_id', $row['user_id']);
}
}
$query->free_result();
return true;
}
对于密码不相等的情况,您不会返回false。试着这样做:
function password_check(){
$this->db->where('username', $this->_username);
$this->db->where('password', $this->_password);
$query = $this->db->get('users');
$result = $query->row_array();
if ($query->num_rows() == 0)
{
$this->form_validation->set_message('password_check','There was an error! ');
return FALSE;
}
return TRUE;
}
编辑:返回TRUE就足够了。请参阅注释。我测试了代码,它对我有效。用户不能使用其他用户的密码登录。我不知道您的
帐户\u model->login()
在做什么,但到目前为止,您的脚本似乎运行得很好
您可以替换(在password_check()函数中)
与
(如上所述)当你连续两次调用
where
where时,你认为它到底完成了什么?我不是专家,但是$this->db->where这两个$this->db->where组合了从句或从句:$this->db->where('name',$name)$此->数据库->其中('title',$title)$此->数据库->其中('status',$status);//其中name='Joe'和title='boss'和status='active'
我想不出更难的方法来查询数据库以挽救我的生命:p调用WHERE
两次没有什么错-我会亲自传入一个数组,即$this->db->WHERE(数组('username'=>$this->\u用户名,'password'=>$this->\u密码))
-但两者的结果相同。echo$this->db->last_query()
-查看实际生成的SQL检查密码是否相等是多余的,因为您已经在根据密码匹配进行查询。此时,您只需返回TRUE
。问题是别的。
if($result['password'] == $this->_password)
{
return TRUE;
}
return TRUE;
function password_check(){
// Check if one of values is empty, return false
if (empty($this->_username)||empty($this->_password)) return false;
$this->db->where('username', $this->_username);
$this->db->where('password', $this->_password);
...
}