我想去我的主页与用户名和密码已经在我的数据库中注册。我测试了我的注册页面…完美的工作……但在我输入记录数据的那一刻,我的页面没有重定向。
我的代码是:
<form class="formlog" method="POST" action=""/>
<pre>
<span>User</span>
<input type="text" id="user" name="user" autocomplete="off" placeholder="Your email here..." size="15" required/>
<span>Password</span>
<input type="password" id="pass" name="pass" autocomplete="off" placeholder="Your pass..." size="15" required/>
<button type="submit">Send!</button>
</pre>
</form>
<a href="reg.php">¿Dont have your account?... come here!!</a>
</div>
<?php
$host="----";
$username="----";
$password="----";
$db_name="----";
$tb_name="----";
$connect = mysqli_connect($host,$username,$password,$db_name)or die("Cannot connect to the database.");
$myusername=$_REQUEST['user'];
$mypassword=$_REQUEST['pass'];
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysqli_real_escape_string($myusername);
$mypassword = mysqli_real_escape_string($mypassword);
$sql = "select*from $tbl_name where User='$myusername' and Password='$mypassword'";
$result=mysqli_query($connect,$sql);
$count= mysqli_num_rows($result);
if($count==1){
session_register($myusername);
session_register($mypassword);
header("location:HomePAGE.html");
}else{
echo "<h3 align='center'><font color='Red'>Incorrect pass or user... try again.</font></h3><br>";
}
?>
哈哈,我的代码工作与一个疯狂的解决方案…我将PHP代码放在另一个单独的文件中,并删除以下行:
session_register($myusername);
session_register($mypassword);
谁能告诉我这里发生了什么事? 首先,不先加密保存密码是很危险的。使用MD5功能。如果将密码保存为MD5元素,则查询为
select * from $tbl_name where User LIKE BINARY '$myusername' and Password LIKE BINARY '$mypassword'
使用LIKE BINARY进行严格比较。
另一方面,尝试更改home .html的文件根,如header("location: root_folder/homepage.html ");
如果您要将该文件提交给它自己,那么您需要在页面顶部有处理表单提交的逻辑。这是对@Buddy提出的答案的阐述。要解决这个问题,只需将逻辑移到顶部,并检查表单是否正在提交。此外,让我们添加一个XSFR生成器,这样我们就可以有一个表单,在某种程度上免受这些攻击,这是非常容易的。
同样,因为您正在接受用户输入,我们需要确保它的安全性。最简单的方法之一是使用预处理语句。我知道你正在使用stripsplashes和mysqli_real_escape_string,这些都是可以的,但最好让引擎为你处理它。我们将把db连接器改为面向对象的,而不是以前的。
<?php
/**
* Check multiple factors:
* 1. the form has been submit
* 2. the xsrf_token form field exists
* 3. the xsrf_token value matches what was created in the initial page load.
*/
if(isset($_POST['xsrf_token']) && $_POST['xsrf_token'] = $_SESSION['xsrf_token']){
$host="----";
$username="----";
$password="----";
$db_name="----";
$tb_name="----";
/**
* Use the OOP Method.
*/
$mysqli = new mysqli($host,$username,$password,$db_name);
/**
* this is the correct OOP way to handle errors.
*/
if ($mysqli->connect_error) {
die('Connect Error (' . $mysqli->connect_errno . ') '
. $mysqli->connect_error);
}
/**
* You're posting, this is a login, let's make sure we only accept post.
$myusername=$_POST['user'];
$mypassword=$_POST['pass'];
/**
* Set up the prepared statement.
* the ?'s indicate placeholders which we will bind to after.
*/
$stmt = $mysqli->prepare("SELECT * FROM $tb_name where User = ? and password = ?");
/**
* Bind to the placeholders above.
* the first argument is the type of data we intend to receive.
* 's' stands for string.
* you must have as many identifiers as you do placeholders;
* so for this example: 2.
*/
$stmt->bind_param('ss', $myusername, $mypassword);
/**
* Now we check if the statement can be executed.
*/
if($stmt->execute()){
if($stmt->num_rows > 0){
$_SESSION['username'] = $myusername;
//do not store the password in the session
} else {
/**
* Now you can perform the redirect here.
*/
header('Location:HomePAGE.html');
}
}
}
/**
* Generate the XSRF token in the session so we can compare on the post
* uniqid() should not be used for security reasons, but is good enough for this exmaple.
*/
$_SESSION['xsfr_token'] = uniqid();
?>
现在,我们可以继续向页面显示我们的HTML。
<form class="formlog" method="POST" action=""/>
<pre>
<span>User</span>
<input type="text" id="user" name="user" autocomplete="off" placeholder="Your email here..." size="15" required/>
<span>Password</span>
<input type="password" id="pass" name="pass" autocomplete="off" placeholder="Your pass..." size="15" required/>
<button type="submit">Send!</button>
</pre>
</form>
<a href="reg.php">¿Dont have your account?... come here!!</a>
</div>
这应该涵盖了大部分基础。最后,也是最重要的一点是:不要在数据库中存储纯文本密码。有很多关于散列和盐密码的好文章。
好运。
我认为问题在于您对header
的调用是在其他HTML已经发送之后…来自文档:
请记住,必须在发送任何实际输出之前调用header(),可以通过普通的HTML标记、文件中的空白行或PHP调用。使用include或require函数或其他文件访问函数读取代码,并且在调用header()之前输出空格或空行是一个非常常见的错误。当使用单个PHP/HTML文件时,也存在同样的问题。
你的标题在这种情况下不起作用
因为你的HTML在同一个页面
我可以告诉你在这种情况下header
的替代方案
header("location:HomePAGE.html");
echo'<script>window.location="HomePAGE.html";</script>';
和搜索谷歌header vs window.location
你可以使用这个,它为我工作
制作javascript
函数
goto_home= function() {
window.location.href='./HomePAGE.html';
}
现在替换你的
header("location:HomePAGE.html");
echo '<script type="text/javascript">goto_home();</script>';