嘿家伙,我是新来的mysqli,我有一个问题。我刚刚更新了我的登录检查以使用mysqli和准备好的语句,并且一切似乎都正常。但你永远不会太安全。那么你能否告诉我这段代码是否有问题?帮助检查登录
<?php
ini_set('display_errors', 'On');
error_reporting(E_ALL | E_STRICT);
$mysqli=new mysqli("localhost", "***", "***","***") ;
if(!$mysqli){
die("Database error");
}
function checklogin($username, $password){
global $mysqli;
$result = $mysqli->prepare("SELECT * FROM users WHERE username = ? and password=?");
$result->bind_param("ss", $username, $password);
$result->execute();
if($result != false){
$dbArray=$result->fetch();
if(!$dbArray){
echo '<p class="statusmsg">The username or password you entered is incorrect, or you haven\'t yet activated your account. Please try again.</p><br/><input class="submitButton" type="button" value="Retry" onClick="location.href='."'login.php'\">";
return;
}
$_SESSION['username']=$username;
if(isset($_POST['remember'])){
setcookie("jmuser",$username,time()+60*60*24*356);
setcookie("jmpass",$password ,time()+60*60*24*356);
}
echo'<p class="statusmsg"> You have successfully logged in. You will now be redirected to the homepage.</p>';
redirect();
}
else{
echo'<p class="statusmsg"> The username or password you entered is incorrect. Please try again.</p><br/>input class="submitButton" type="button" value="Retry" onClick="location.href='."'login.php'\">";
return;
}
}
if(isset($_COOKIE['jmuser']) && isset($_COOKIE['jmpass'])){
$status=checkCookie($_COOKIE['jmuser'], $_COOKIE['jmpass']);
if($status==true){
echo '<p class="statusmsg"> Welcome back '.$_COOKIE['jmuser'].'. You will now be redirected to the homepage.</p>';
sleep(5);
redirect();
}
}
else{
if(isset($_POST['sublogin'])){
if((strlen($_POST['user']) >0) && (strlen($_POST['pass']) >0)) {
checklogin($_POST['user'], $_POST['pass']);
}
elseif((isset($_POST['user']) && empty($_POST['user'])) || (isset($_POST['pass']) && empty($_POST['pass']))){
echo '<p class="statusmsg">You didn\'t fill in the required fields.</p><br/><input class="submitButton" type="button" value="Retry" onClick="location.href='."'login.php'\">";
}
}
else{
echo '<p class="statusmsg">You came here by mistake, didn\'t you?</p>';
}
}
而且还当登录作品似乎不给我重定向到的index.php。这是写在标签上方的代码。
<?php
if(isset($_GET['url'])){
function redirect() {
header('location:'.$_GET['url']);
}
}
else {
function redirect() {
header('location: index.php');
}
}
?>
我试着删除文本无济于事。我想我知道这个问题。当点击登录按钮时,我在地址栏中获取:localhost/JMToday/loginchk.php?url =因此,url是空白的,因此它不会重定向。除非我的理论是错误的:P请你帮忙吗?
没有,在他的情况下它不是脆弱的 – 2011-01-12 15:30:38
你应该阅读备忘录 – 2011-01-12 15:38:49
中的文本,这样它不会当他使用它时。那么,你的答案是什么? – 2011-01-12 15:48:31