调试php登录页面的第三层(机密q/a)
我正在构建一个包含3个登录层的页面。要登录,用户需要输入以下详细信息:调试php登录页面的第三层(机密q/a),php,Php,我正在构建一个包含3个登录层的页面。要登录,用户需要输入以下详细信息: 帐号和密码 输入Pin码(4位代码) 为用户在注册时输入的机密问题提供机密答案。你的宠物叫什么名字 如何验证function.php中的秘密问题和答案,以允许用户登录到其帐户部分 现在,我可以看到提示用户输入用户名和密码,pin码被接受和验证,但当我进入机密问题和答案时,secret.php不接受我的答案 似乎没有正确验证function.php文件中的密码 function.php: <?php require_on
<?php
require_once('mail.php');
/*
Check if a session user id exist or not. If not set redirect
to login page. If the user session id exist and there's found
$_GET['logout'] in the query string logout the user
*/
function checkUser()
{
// if the session id is not set, redirect to login page
if (!isset($_SESSION['hlbank_user'])) {
header('Location: ' . WEB_ROOT . 'login.php');
exit;
}
// the user want to logout
if (isset($_GET['logout'])) {
doLogout();
}
}
function next_tx_no() {
$sql = "SELECT tx_no FROM tbl_transaction ORDER BY id DESC LIMIT 1";
$result = dbQuery($sql);
extract(dbFetchAssoc($result));
$tx_num = (int)substr($tx_no, 2);
$next_id = $tx_num+1; // increment by One
return 'TX'.$next_id;
}
function str_number($str) {
$number = '';
$number = str_replace('$', '', $str);
$number = str_replace(',', '', $number);
return doubleval($number);
}
function doPinValidation() {
$errorMessage = '';
$pin = $_SESSION['hlbank_tmp']['pin'];
$ipPin = $_POST['accpin'];
if($pin == $ipPin) {
$_SESSION['hlbank_user'] = $_SESSION['hlbank_tmp'];
unset($_SESSION['hlbank_tmp']);
header('Location: secret.php');
exit;
}
else {
$errorMessage = 'Invalid pin numbers, please try again.';
}
return $errorMessage;
}
function doSecret() {
$errorMessage = '';
$secans = $_SESSION['hlbank_tmp']['secans'];
$ipsecans = $_POST['accsecans'];
$secque = $_SESSION['hlbank_tmp']['secque'];
$ipsecque = $_POST['accsecque'];
if($secans == $ipsecret) {
$_SESSION['hlbank_user'] = $_SESSION['hlbank_tmp'];
unset($_SESSION['hlbank_tmp']);
header('Location: index.php');
exit;
}
else {
$errorMessage = 'Wrong Secret Answer, please try again.';
}
return $errorMessage;
}
function doLogin()
{
$errorMessage = '';
$accno = (int)$_POST['accno'];
$pwd = $_POST['pass'];
$pin = $_POST['accpin'];
$secque = $_POST['accsecque'];
$secans = $_POST['accsecans'];
$sql = "SELECT u.fname, u.lname, u.email, u.is_active, u.pics, u.phone,
a.acc_no, a.user_id, a.pin, a.type, a.status,
se.secque, se.secans, se.user_id
FROM tbl_users u, tbl_accounts a, tbl_secret se, tbl_address ad
WHERE a.acc_no = $accno AND u.pwd = PASSWORD('$pwd')
AND u.id = a.user_id AND se.user_id = u.id AND ad.user_id = u.id AND u.is_active != 'FALSE'";
$result = dbQuery($sql);
if (dbNumRows($result) == 1) {
$row = dbFetchAssoc($result);
$_SESSION['hlbank_tmp'] = $row;
$_SESSION['hlbank_user_name'] = strtoupper( $row['fname'].'
'.$row['lname']);
header('Location: pin.php');
exit;
}
else {
$errorMessage = 'Wrong account number/password. Please try again.';
}
return $errorMessage;
}
/*
Logout a user
*/
function doLogout()
{
if (isset($_SESSION['hlbank_user'])) {
unset($_SESSION['hlbank_user']);
//session_unregister('hlbank_user');
}
header('Location: login.php');
exit;
}
function doRegister()
{
$fname = $_POST['firstname'];
$lname = $_POST['lastname'];
$pwd = $_POST['password'];
$email = $_POST['email'];
$phone = $_POST['phone'];
$dob = $_POST['dob'];
$gender = $_POST['gender'];
$add = $_POST['address'];
$city = $_POST['city'];
$state = $_POST['state'];
$zip = (int)$_POST['zipcode'];
// $accno = (int)$_POST['accno'];
$type = $_POST['acctype'];
$pin = (int)$_POST['pin'];
$secque = $_POST['secque'];
$secans = $_POST['secans'];
$errorMessage = '';
$sql = "SELECT fname FROM tbl_users WHERE fname = '$fname'";
$result = dbQuery($sql);
if (dbNumRows($result) == 1) {
$errorMessage = 'Username already exist, please try another name.';
return $errorMessage;
}
//first check if account number is already register or not...
$accno = rand(9999999999, 99999999999);
$accno = strlen($accno) != 10 ? substr($accno, 0, 10) : $accno;
/*
$sql = "SELECT acc_no FROM tbl_accounts WHERE acc_no = $accno";
$result = dbQuery($sql);
if (dbNumRows($result) == 1) {
$errorMessage = 'Account number is already register.';
return $errorMessage;
}
*/
$images = uploadProductImage('pic', SRV_ROOT . 'images/thumbnails/');
$thumbnail = $images['thumbnail'];
$insert_id = 0;
$sql = "INSERT INTO tbl_users (fname, lname, pwd, email, phone, gender,
is_active, utype, pics, bdate)
VALUES ('$fname', '$lname', PASSWORD('$pwd'), '$email', '$phone',
'$gender', 'FALSE', 'USER', '$thumbnail', NOW())";
dbQuery($sql);
$insert_id = dbInsertId();
//now create a user address.
$sql = "INSERT INTO tbl_address (user_id, address, city, state, zipcode,
country)
VALUES ($insert_id, '$add', '$city', '$state', $zip, 'USA')";
dbQuery($sql);
//and now create a account table entry...
$sql = "INSERT INTO tbl_accounts (user_id, acc_no, type, balance, pin,
status, bdate)
VALUES ($insert_id, '$accno', '$type', 0, $pin, 'INACTIVE', NOW())";
dbQuery($sql);
//and now create a secret table entry...
$sql = "INSERT INTO tbl_secret (user_id, secque, secans)
VALUES ($insert_id, '$secque', '$secans')";
dbQuery($sql);
//now send email
//email it now.
$subject = "Account Registration";
$to = $email;
$msg_body = "Dear Customer,<br/><br/>
This is to inform you that your Account # $accno is register successfully with Elite Society Club and currently not active. We will contact you once it is activate.<br/><br/>In case you need any further clarification for the same, please do get in touch with us.<br/><br/>
Regards,<br/>Elite Society Club";
$mail_data = array('to' => $to, 'sub' => $subject, 'msg' => 'register',
'body' => $msg_body);
send_email($mail_data);
header('Location: aregister.php');
exit;
<?php
require_once './library/config.php';
require_once './library/functions.php';
$errorMessage = ' ';
if (isset($_POST['accsecret'])) {
$result = doSecretValidation();
if ($result != '') {
$errorMessage = $result;
}
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title><?php echo $site_title; ?></title>
<link href="<?php echo WEB_ROOT;?>css/admin.css" rel="stylesheet"
type="text/css">
<link href="<?php echo WEB_ROOT;?>css/styles.css" rel="stylesheet"
type="text/css">
<link href="<?php echo WEB_ROOT; ?
>library/spry/textfieldvalidation/SpryValidationTextField.css" rel="stylesheet"
type="text/css" />
<script src="<?php echo WEB_ROOT; ?
>library/spry/textfieldvalidation/SpryValidationTextField.js"
type="text/javascript"></script>
</head>
<body style="background-color:#ECECEC;margin-top:50px;">
<table width="750" border="0" align="center" cellpadding="0" cellspacing="1"
class="graybox">
<tr style="background-color:#FFFFFF">
<td><img src="<?php echo WEB_ROOT; ?>images/OnlineBanking-logo.png" /></td>
</tr>
<tr>
<td valign="top">
<table width="100%" border="0" cellspacing="0" cellpadding="20">
<tr>
<td class="contentArea">
<form action="#" method="post" enctype="multipart/form-data"
id="acclogin">
<h2 align="center"><strong>Login Step 3:</strong> Log in to Access your
Account</h2>
<p align="center">Enter Your Secret Answer to proceed </p>
<div class="errorMessage" align="center"><?php echo $errorMessage; ?>
</div>
<table width="350" border="0" align="center" cellpadding="5"
cellspacing="1" bgcolor="#336699" class="entryTable">
<tr id="entryTableHeader">
<td><div align="center">:: Customer Login ::</div></td>
</tr>
<tr>
<td class="contentArea">
<table width="100%" border="0" cellpadding="2" cellspacing="1"
class="text">
<tr>
<td colspan="3"><div align="center"><?php echo $secque != "" ?
$secque : "" ?>
<p> </p>
</div></td>
</tr>
<tr>
<td width="100" align="right">Secret Code</td>
<td width="10" align="center">:</td>
<td>
<span id="spry_secans">
<input name="accsecret" type="text" id="accsecret" size="20" maxlength="30" />
<br />
<span class="textfieldRequiredMsg">Secret Answer is required.</span>
<span class="textfieldMinCharsMsg">Secret Answer must specify at least 4 characters.</span>
<span class="textfieldMaxCharsMsg">Secret Answer must specify at max 30 characters.</span>
</span>
</td>
</tr>
<tr>
<td colspan="2"> </td>
<td><input name="submitButton" type="submit" id="submitButton" value="Validate Secret Answer" /></td>
</tr>
</table></td>
</tr>
</table>
<p> </p>
</form></td>
</tr>
<tr>
<td class="contentArea" style="border-top:#999999 thin dashed;">
</td>
</tr>
</table>
</td>
</tr>
</table>
<p> </p>
</body>
<script type="text/javascript">
<!--
//
var spry_secans = new Spry.Widget.ValidationTextField("spry_secans", 'integer',
{minChars:4, maxChars: 30, validateOn:["blur", "change"]});
//-->
</script>
</html>
你的安全措施做得不对。。。不应该有那么多的步骤…请帮助我改正。非常感谢。谢谢兄弟,你能帮我更正一下我的function.php文件和secret.php文件吗?删除了大部分空白,因为代码太长了三倍。通常也会在可能的情况下改进格式和语法。你没有做好安全措施。。。不应该有那么多的步骤…请帮助我改正。非常感谢。谢谢兄弟,你能帮我更正一下我的function.php文件和secret.php文件吗?删除了大部分空白,因为代码太长了三倍。在可能的情况下,通常还改进了格式和语法。