logo标签列表

PHP + SQL Server 登录和会话

phpsqlsql-server-2008
4
你好,我正在尝试使用PHP创建登录和会话脚本,并将其用于SQL Server,但无论我在登录表单中输入什么,只要它验证通过,它就可以正常工作。然而,我无法找出代码的问题所在。我最近才开始使用PHP和SQL Server,并没有足够的知识来自己解决问题。如果有人能帮忙,那就太好了。同时,如果您知道一些使用SQL Server和PHP的好的教程网站,是否可以分享一下呢?很遗憾,似乎并没有太多好的教程网站。在这个阶段,任何帮助都非常受欢迎。我的主要问题是它没有检查在HTML表单中发布的信息是否存在于数据库中。(我已经删除了JS验证,因为它似乎不是必要的,但它确实有效)。

Login.html

<form name="log" action="log_action.php" method="post">
Username: <input class="form" type="text" name="uNm"><br />
Password: <input class="form" type="password" name="uPw"><br />
<input name="submit" type="submit" value="Submit">
</form>

log_action.php

session_start();
$serverName = "(local)";
$connectionInfo = array("Database"=>"mydatabase","UID"=>"myusername", "PWD"=>"mypassword");
$conn = sqlsrv_connect( $serverName, $connectionInfo);
if( $conn === false){
    echo "Error in connection.\n";
    die( print_r( sqlsrv_errors(), true));
}
$username = $_REQUEST['uNm'];
$password  = $_REQUEST['uPw'];
$tsql = "SELECT * FROM li WHERE uNm='$username' AND uPw='$password'";
$stmt = sqlsrv_query( $conn, $tsql, array(), array( "Scrollable" => SQLSRV_CURSOR_KEYSET ));
if($stmt == true){
    $_SESSION['valid_user'] = true;
    $_SESSION['uNm'] = $username;
    header('Location: index.php');
    die();
}else{
    header('Location: error.html');
    die();
}

index.php

<?php
session_start();
if($_SESSION['valid_user']!=true){
    header('Location: error.html');
    die();
}
?>

感谢你们可能提供的任何帮助。
顺便提一下,你的代码容易受到SQL注入攻击(http://en.wikipedia.org/wiki/SQL_injection),直接将用户输入连接到查询语句中非常危险。学习使用参数化查询来防范此类攻击。 - Nathan
此外,您的问题并不完全清楚。首先,您说“我无法使其工作”,然后您又说,“只要我在登录表单中输入验证通过的内容,它就可以工作”。您遇到了什么问题? - Nathan
它没有检查用户名和密码是否存在于数据库中,无论我输入什么,它都会带我到登录页面,如果不存在,应该带我到错误页面。是的,一旦我完成几个脚本并且足够熟练地使用SQL Server,我计划进行SQL注入预防。 - jphillip724
2个回答
3
问题在于你从未实际检查查询结果。
if($stmt == true){

该语句仅检查查询是否执行无误,但无法确定查询返回的结果。

因此,您需要使用sqlsrv_fetch函数(或相关函数之一)来实际检查查询结果。

在您的特定情况下,仅通过sqlsrv_has_rows检查结果集中是否有行应该就足够了。

好的,我看了一下has rows链接,并使用它调整了我的脚本,它显示有行,这很好。只有在使用正确的用户名和密码时才起作用,所以现在只需要使会话起作用,非常感谢! - jphillip724
2

很抱歉如果这不是您想要的答案,我只是一个新手,但我认为我有一些可以贡献的东西。看看这段代码是否适用于您:

<?php

#starts a new session
session_start();

#includes a database connection
include 'connection.php';

#catches user/password submitted by html form
$user = $_POST['user'];
$password = $_POST['password'];

#checks if the html form is filled
if(empty($_POST['user']) || empty($_POST['password'])){
    echo "Fill all the fields!";
}else{

#searches for user and password in the database
$query = "SELECT * FROM [DATABASE_NAME].[dbo].[users] WHERE user='{$user}' AND"
         ."password='{$password}' AND active='1'";
$result = sqlsrv_query($conn, $query);  //$conn is your connection in 'connection.php'

#checks if the search was made
if($result === false){
     die( print_r( sqlsrv_errors(), true));
}

#checks if the search brought some row and if it is one only row
if(sqlsrv_has_rows($result) != 1){
       echo "User/password not found";
}else{

#creates sessions
    while($row = sqlsrv_fetch_array($result)){
       $_SESSION['id'] = $row['id'];
       $_SESSION['name'] = $row['name'];
       $_SESSION['user'] = $row['user'];
       $_SESSION['level'] = $row['level'];
    }
#redirects user
    header("Location: restrict.php");
}
}

?>

If you want, you can do the same with sqlsrv_fetch combined with sqlsrv_get_field(). Sth like:

<?php
session_start();

[... CONNECTION ...]

[...  your POST request ...]

[... check your forms ...]

 Here is the past that is kinda particular
 [... YOUR QUERY ...]

$result = sqlsrv_query( $conn, $query);

if(!sqlsrv_fetch($result)){
  die(print_r(sqlsrv_erros()),true);
}else{
  $_SESSION['id'] = sqlsrv_get_field($result, 0);
  [... and so on ...]
}
?>
The sqlsrv_fetch() only holds a row and sqlsrv_get_field reads the content of that row. One grabs the other punches. Once you only is retrieving data from the database if the row that contains user AND password exists, sqlsrv_fetch() will only stay with the row that does have the parameters passed by form, if they exist in the database.

I don't recommend, but you can use sqlsrv_num_rows() to check the number of rows, but you need to set some parameters to the sqlsrv_query: $sqlsrv_query($conn, $stmt, array($params), array( "Scrollable" => SQLSRV_CURSOR_KEYSET )) or sth like that.

感谢您给予的机会!!! :D 祝您好运!
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接