为什么,如果我输入有效的用户名和密码,它是否有效,但是当我输入假密码时,它不起作用?下面是我的脚本.
登录In.html:
<!DOCTYPE html>
<html lang="">
<head>
<title>LOG-IN</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">
<link href="../layout/styles/layout.css" rel="stylesheet" type="text/css" media="all">
</head>
<body id="top">
<div class="wrapper row1">
<header id="header" class="hoc clear">
<h1><a href="../index.html">Melis & Morganti</a></h1>
<p>Hardware Information</p>
</header>
</div>
<div class="wrapper row4">
<nav id="mainav" class="hoc clear">
<ul class="clear">
<li class="active"><a href="index.html">Home</a></li>
<li><a class="drop" href="#">ACCOUNT</a>
<ul>
<li><a href="Sign-In.html">LOG-IN</a></li>
<li><a href="registrazione3.html">REGISTER</a></li>
</ul>
</ul>
</nav>
</div>
<div class="wrapper bgded overlay" style="background-image:url('../images/demo/backgrounds/login.jpg');">
<section id="breadcrumb" class="hoc clear">
<ul>
<li><a href="#">Home</a></li>
<li><a href="#">LOG-IN</a></li>
</ul>
<h6 class="heading">LOG-IN</h6>
</section>
</div>
<div class="wrapper row3">
<main class="hoc container clear">
<div class="content">
<div id="gallery">
<figure>
<body id="body-color">
<div id="Sign-In">
<fieldset style="width:30%"><legend>Inserisci i tuoi dati</legend>
<form method="POST" action="connectivity.php">
Utente <br><input type="text" name="user" size="40"><br>
Password <br><input type="password" name="pass" size="40"><br>
<input id="button" type="submit" name="submit" value="Log-In">
</form>
</fieldset>
</div>
</body>
</figure>
</div>
</div>
<div class="clear"></div>
</main>
</div>
<div class="wrapper row4">
<footer id="footer" class="hoc clear">
<div class="one_third first">
<h6 class="heading">Sede Legale</h6>
<ul class="nospace btmspace-30 linklist contact">
<li><i class="fa fa-map-marker"></i>
<address>
Via Teano
</address>
</li>
<li><i class="fa fa-phone"></i> +00 0612345678</li>
<li><i class="fa fa-envelope-o"></i> infohardware@MelisMorganti.com</li>
</ul>
</div>
<div class="one_third">
<h6 class="heading"> </h6>
<ul class="nospace linklist">
</ul>
</div>
<div class="one_third">
<h6 class="heading">Newsgroup</h6>
<p class="nospace btmspace-30">Ricevi aggiornamenti</p>
<form method="post" action="#">
<fieldset>
<legend>Newsletter:</legend>
<input class="btmspace-15" type="text" value="" placeholder="Name">
<input class="btmspace-15" type="text" value="" placeholder="Email">
<button type="submit" value="submit">INVIO</button>
</fieldset>
</form>
</div>
</footer>
</div>
<div class="wrapper row5">
<div id="copyright" class="hoc clear">
<p class="fl_left">Copyright © 2017 - All Rights Reserved - <a href="#">Melis - Morganti: Hardware Information</a></p>
</div>
</div>
<a id="backtotop" href="#top"><i class="fa fa-chevron-up"></i></a>
<!-- JAVASCRIPTS -->
<script src="layout/scripts/jquery.min.js"></script>
<script src="layout/scripts/jquery.backtotop.js"></script>
<script src="layout/scripts/jquery.mobilemenu.js"></script>
</body>
</html>这就是connectivity.php:
<?php
error_reporting(E_ALL ^ E_DEPRECATED);
define('DB_HOST', 'localhost');
define('DB_NAME', 'login');
define('DB_USER','root');
define('DB_PASSWORD','');
$con=mysql_connect(DB_HOST,DB_USER,DB_PASSWORD) or die("Impossibile connettersi: " . mysql_error());
$db=mysql_select_db(DB_NAME,$con) or die("Impossibile connettersi: " . mysql_error());
/*
$ID = $_POST['user'];
$Password = $_POST['pass'];
*/
function SignIn() {
session_start();
//starting the session for user profile page
if(!empty($_POST['user']))
{
$query = mysql_query("SELECT * FROM UserName where userName = '$_POST[user]' AND pass = '$_POST[pass]'") or die(mysql_error());
$row = mysql_fetch_array($query) or die(mysql_error());
if(!empty($row['userName']) AND !empty($row['pass']))
{
$_SESSION['userName'] = $row['pass'];
echo "Sei loggato con successo";
echo "<script> window.location.assign('index_success.html'); </script>";
}
else
{
echo "ID o password sbagliata";
}
}
}
if(isset($_POST['submit']))
{
SignIn();
}
?>
为什么不起作用?我尝试使用header(),但它不起作用.当我使用真实的用户名和密码时,它可以工作:它显示"Sei loggato con successo"0.1毫秒并将其重定向到"index_success.html".但是,当我使用假的用户名或假密码时,它会将我发送到"connectivity.php",而不会显示消息或错误.这是空白的!
警告:Little Bobby说您的脚本存在SQL注入攻击的风险..即使逃避字符串也不安全!
危险:请停止使用mysql_*功能. 这些扩展已在PHP 7中删除.了解PDO和MySQLi的预处理语句并考虑使用PDO,这非常简单.
以下是如何使用mysql_*API正确散列密码来解决您的问题:
<?php
error_reporting(E_ALL ^ E_DEPRECATED);
define('DB_HOST', 'localhost');
define('DB_NAME', 'login');
define('DB_USER','root');
define('DB_PASSWORD','');
$con=mysql_connect(DB_HOST,DB_USER,DB_PASSWORD) or die("Impossibile connettersi: " . mysql_error());
$db=mysql_select_db(DB_NAME,$con) or die("Impossibile connettersi: " . mysql_error());
session_start();
function SignIn($user, $pw) {
$user = mysql_real_escape_string($user);
$query = mysql_query("SELECT * FROM UserName where userName = '{$user}'") or die(mysql_error());
$row = mysql_fetch_array($query) or die(mysql_error());
if(!empty($row))
{
if(password_verify($pw, $row['pass']))
{
$_SESSION['userName'] = $row['user'];
echo "Sei loggato con successo";
echo "<script> window.location.assign('index_success.html'); </script>";
}
else
{
echo "ID o password sbagliata";
}
}
else
{
echo "There is a problem";
}
}
if(isset($_POST['submit']))
{
SignIn($_POST['user'], $_POST['pass']);
}
?>
在这段代码中,我使用PHP的内置函数来处理密码安全性.如果您使用的PHP版本低于5.5,则可以使用password_hash() 兼容包. 在散列之前,没有必要转义密码或使用任何其他清理机制.这样做会更改密码并导致不必要的额外编码.
| 归档时间: |
|
| 查看次数: |
107 次 |
| 最近记录: |