我是PHP和StackOverflow的初学者!我试着为我的应用程序创建一个登录功能,但这似乎不起作用。。。
function login($user, $password)
{
$db = new mysqli('127.0.0.1', 'root', 'raspberry', 'extranet');
$db->set_charset('utf8');
$token = '';
if (isset($user) && isset($password) && !isset($_SESSION))
{
$query = $db->prepare('SELECT * FROM users WHERE USERNAME = ? AND PASSWORD = ?');
$query->bind_param($user, $password);
$res = $query->execute();
if (mysqli_num_rows($res) != 0)
{
$_SESSION['user'] = $user;
$token = rand(85765, 650000);
$query = $db->prepare('INSERT INTO tokens VALUES(null, ?, ?);');
$query->bind_param($user, $token);
$query->execute();
$_SESSION['token'] = $token;
} else {
$_SESSION['token'] = 0;
}
return $_SESSION['token'];
} else if (isset($_SESSION['token']) && $_SESSION['token'] != 0 && isset($_SESSION['user']))
{
$query = $db->prepare('SELECT * FROM tokens WHERE USERNAME = ? AND TOKEN = ?');
$query->bind_param($_SESSION['user'], $_SESSION['token']);
$res = $query->execute();
if (mysqli_num_rows != 0)
{
return true;
} else
{
return false;
}
} else
{
return false;
}
}
你能告诉我出了什么问题吗?啊!P-S:对不起,我的英语水平,我只是一名法国
$query = $db->prepare('SELECT * FROM users WHERE USERNAME = ? AND PASSWORD = ?'); $query->bind_param($user, $password);
您正在此处存储明文密码。看看PHP的密码散列功能。
$token = rand(85765, 650000);
我确信您的整个令牌系统是不必要的,但即使不是,也不要使用rand()。