我曾尝试创建一个登录页面,但我在文本字段中输入的内容并点击login按钮后,它会在通知用户wrong username/passowrd时自动重定向到索引页面;为什么?
<html>
<body>
<div>
<form method="post" action="customer_login.php">
<table width='500' align='center' bgcolor='skyblue'>
<tr align='center'>
<td colspan ='4'><h2>Login/Register to Proceed</h2></td>
</tr>
<tr>
<td align='right'><b>Email:</b></td>
<td><input type='text' placeholder='Enter Email' name='c_email'/></td>
</tr>
<tr>
<td align='right'><b>Password:</b></td>
<td><input type='password' name='pass' placeholder="Enter Password"/></td>
</tr>
<tr align='center'>
<td colspan='4'><input type='submit' value="Login" name="login"/></td>
</tr>
</table>
<h2 style=' float:center;padding:10px;'><a href='customer_register.php' style='text-decoration:none;'> Don't have an account?</a></h2>
</form>
</div>
</body>
</html>
<?php
if(isset($_POST['login'])){
include("includes/db.php");
$username = strip_tags($_POST['c_email']);
$password = strip_tags($_POST['pass']);
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysqli_real_escape_string($username);
$password = mysqli_real_escape_string($password);
$sql = "select * from customer where customer_email ='$username' LIMIT 1";
$query_login = mysqli_query($con, $sql);
$row = mysqli_fetch_array($query_login);
$email = $row['customer_email'];
$db_pass = $row['customer_pass'];
if($password==$db_pass){
$_SESSION['customer_email'] = $email;
header("Location:index.php");
}else{
echo "<h2 style='color:red;'>Wrong Email/Password!</h2>";
}
}
?>
我已经在index.php中启动了会话。这是一个电子商务网站,用户可以在不登录的情况下将商品添加到购物车中,但应该在结账时登录。
尝试一下:
<?php
// Anti-Caching (hopefully):
header('Expires: Sun, 01 Jan 2014 00:00:00 GMT');
header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");
$_ERROR_MESSAGE = NULL;
if(isset($_POST['Login'])){
include("includes/db.php");
$username = strip_tags($_POST['c_email']);
$password = strip_tags($_POST['pass']);
$username = $con->real_escape_string($username);
$sql = "SELECT * FROM `customer` WHERE `customer_email` ='$username' LIMIT 1";
$query_login = $con->query($sql);
if($query_login->num_rows > 0){
$row = $query_login->fetch_assoc();
$email = $row['customer_email'];
$db_pass = $row['customer_pass'];
if($password == $db_pass){ // Insecure password check occurs here (use hashing & salts)
$_SESSION['customer_email'] = $email;
header($_SERVER['SERVER_PROTOCOL'] . ' 303 See Other', true, 303);
header("Location: index.php");
exit(); // Stop processing and let user be redirected. Do not output login page.
}else{
// Incorrect Password
$_ERROR_MESSAGE = "<h2 style='color:red;'>Wrong Email/Password!</h2>";
}
}else{
// Invalid Email/Username
$_ERROR_MESSAGE = "<h2 style='color:red;'>Wrong Email/Password!</h2>";
}
// Free up memory and close connections
$query_login->free();
$con->close();
} // Else, output the page
?>
<!DOCUMENT HTML>
<html>
<head>
<title>Some Login Page</title>
</head>
<body>
<div>
<?php
// Check if we need to output an error message here:
if($_ERROR_MESSAGE !== NULL){
echo $_ERROR_MESSAGE;
}
?>
<form method="post" action="customer_login.php">
<table width='500' align='center' bgcolor='skyblue'>
<tr align='center'>
<td colspan ='4'><h2>Login/Register to Proceed</h2></td>
</tr>
<tr>
<td align='right'><b>Email:</b></td>
<td><input type='text' placeholder='Enter Email' name='c_email'/></td>
</tr>
<tr>
<td align='right'><b>Password:</b></td>
<td><input type='password' name='pass' placeholder="Enter Password"/></td>
</tr>
<tr align='center'>
<td colspan='4'><input type='submit' value="Login" name="login"/></td>
</tr>
</table>
<h2 style=' float:center;padding:10px;'><a href='customer_register.php' style='text-decoration:none;'> Don't have an account?</a></h2>
</form>
</div>
</body>
</html>
我不知道为什么它以前重定向。我唯一的猜测是,来自customer_login.php的响应可能正被您的浏览器缓存。为了防止这种情况,我在顶部添加了一些防缓存标头(只要浏览器符合要求,就可以防止缓存问题)。此外,我将PHP部分重新安排在顶部,因为从技术上讲,在已经开始输出正文之后,不应该设置标题。我还将MySQLi重写为面向对象(个人偏好)。
顺便说一句,根据我在这里看到的情况,你的数据库是不安全的。看起来你是在用明文存储密码。因此,如果数据库被泄露,所有用户的密码都将被暴露。为了用户/客户的安全,请考虑使用加密安全的哈希算法,每个用户都有一个唯一的salt来防止这种情况。