PHP – 使用login系统保护仅限会员的页面

你好 ,我已经被我写的PHP代码难住了。 我盯着这几个小时没有成功,请帮助find我显然已经过去的任何错误。

我想要这个脚本是从一个HTML表单页面,查询数据库表('用户'),以确保他们的密码和用户名是正确的,然后在一个单独的表('令牌')插入随机令牌(方法,我以前使用,它的工作)到“tk”列,和用户一般authentication。 代码从“用户”表中拖到“标记”表中的“gauth”列。

额外的一般authentication的原因是,我可以拉他们的用户名,并显示在我所计划的“保护”

对不起,如果我很困惑,这是我可以改进的最好的。 另外,我不擅长格式:)。 以后我会添加一些html,这就是为什么标签在那里。

MySQL表格:

用户示例:

cols: username | password | email | classcode | tcode | genralauth | hello | world | hello.world@gmail.com | 374568536 | somthin | 8945784953 | 

令牌示例:

 cols: gauth | tk | 3946893485 |wr8ugj5ne24utb| 

PHP:

 <html> <?php session_start(); error_reporting(0); $servername = "localhost"; $username = "-------"; $password = "-------"; $db = "vws"; ?> <?php // Create connection $conn = new mysqli($servername, $username, $password, $db); // Check connection if ($conn->connect_error) { die("Connection failed: " . $conn->connect_error); } ?> <?php $sql1 = "SELECT username FROM users"; $data1 = $conn->query($sql1); if ($conn->query($sql1) === TRUE) { echo ""; } ?> <?php $sql2 = "SELECT password FROM 'users'"; $data2 = $conn->query($sql2); if ($conn->query($sql2) === TRUE) { echo ""; } ?> <?php $bytes = openssl_random_pseudo_bytes(3); $hex = bin2hex($bytes); ?> <?php if($_POST['pss'] == $data2 and $_POST['uname'] == $data1) { $correct = TRUE; } else { $correct = FALSE; } ?> <?php if ($correct === TRUE) { $sql3 = "SELECT generalauth FROM users WHERE password='".$_POST['pss']."'"; $result3 = $conn->query($sql3); } ?> <?php if ($correct === TRUE) { $sql4 = "INSERT INTO tokens (tk,gauth) VALUES (".$hex."' , '".$result3."')"; if ($conn->query($sql4) === TRUE) { echo "New token genrated."; } else { echo "Error: " . $conn->error; } } ?> <?php if ($correct === TRUE) { ?> <p>Succesfuly loged in!</p><br/> <a href="../index.php<?php echo " ?view=teacher";?>"><button>Continue</button></a><br/> <?php } elseif ($correct === FALSE) { ?> <p>Incorrect, please try again.</p><br/> <a href="../login.php"><button>Back</button></a><br/> <?php } ?> <?php if ($correct === TRUE) { $_SESSION['auth'] = $hex; $_SESSION['logstat'] = TRUE; } ?> <?php if ($correct === FALSE) { $_SESSION['logstat'] = FALSE; } $conn->close(); ?> 

这是我将在大多数页面上使用的用于令牌authentication的PHP,不过实际上它不检查数据库的“令牌”,还需要使用通用authentication来显示login的用户名。

PHP:

 <html> <h1 class="title">Virtual Work Sheets!</h1> <a href="login.php"><p class="h_option">[Log In / Register]</p></a><hr/> <div class="body"> <?php session_start(); error_reporting(0); $servername = "localhost"; $username = "root20"; $password = "jjewett38"; $db = "vws"; ?> <?php // Create connection $conn = new mysqli($servername, $username, $password, $db); // Check connection if ($conn->connect_error) { die("Connection failed: " . $conn->connect_error); } ?> <?php $sql = "SELECT tk FROM tokens"; $data = $conn->query($sql); ?> <?php if (!$_GET['tk'] == $data) { echo " <p>Invalid token, please consider re-logging.</p> "; } else { ?> <?php switch ($_GET['view']) { case teacher: ?> 

教师页面的HTML这里…

 <?php break; case student: ?> 

学生页面html在这里…

 <?php break; default: echo "Please login to view this page."; } }?> </html> 

我build议你改变你的方法。

虽然乍一看这些示例文件看起来很多,但是一旦你研究了它们,你会发现它比现在的方向更加简单和合乎逻辑。

首先,将db连接/login的东西移动到一个单独的文件,并requireinclude在每个PHP页面顶部的文件:

的init.php

  // Create connection $conn = new mysqli($servername, $username, $password, $db); // Check connection if ($conn->connect_error) { die("Connection failed: " . $conn->connect_error); } //Might as well also load your functions page here, so they are always available require_once('fn/functions.php'); ?> 

现在,看看我们如何在索引(和受限制)页面上使用它?

的index.php

 <?php require_once('inc/head.inc.php'); require_once('fn/init.php'); ?> <body> <!-- Examples need jQuery, so load that... --> <script src="jquery-1.11.3.js"></script> <!-- and our own file we will create next... --> <script type="text/javascript" src="js/index.js"></script> <div id="pageWrap"> <div id="loginDIV"> LoginID: <input type="text" id="liID" /><br> LoginPW: <input type="password" id="liPW" /><br> <input type="button" id="myButt" value="Login" /> </div> </div> 

JS / INDEX.JS

 $(function(){ $('#myButt').click(function(){ var id = $('#liID').val(); var pw = $('#liPW').val(); $.ajax({ type: 'post', url: 'ajax/login.php', data: 'id=' +id+ '&pw=' +pw, success: function(d){ if (d.length) alert(d); if (d==1) { window.location.href = 'restricted_page.php'; }else{ $('#liID').val(''); $('#liPW').val(''); alert('Please try logging in again'); } } }); });//END myButt.click }); //END document.ready 

AJAX / login.php中

 <?php $id = $_POST['id']; $pw = $_POST['pw']; //Verify from database that ID and PW are okay //Note that you also should sanitize the data received from user if ( id and password authenticate ){ //Use database lookups ot get this data: $un = `username` //Use PHP sessions to set global variable values $_SESSION['username'] = $un; echo 1; }else{ echo 'FAIL'; } 

RESTRICTED_PAGE.PHP

 <?php if (!isset($_SESSION['username']) ){ header('Location: ' .'index.php'); } require_once('inc/head.inc.php'); require_once('fn/init.php'); ?> <body> <h1>Welcome to the Admin Page, <?php echo $_SESSION['username']; ?> <!-- AND here go all teh restricted things you need a login to do. --> 

关于AJAX的更多信息 – 学习简单的例子