Mysql
 sql >> Base de données >  >> RDS >> Mysql

Je n'arrive pas à faire en sorte que mon formulaire de connexion interagisse correctement avec la base de données mySQL

Cette réponse est pour le hachage, password_hash() , et password_verify() . Pour mysqli et pdo. Le lien en bas contient d'autres liens et un langage sur les sels et autres.

Il est crucial de ne pas utiliser les données fournies par l'utilisateur directement avec les sélections et les insertions. Au lieu de cela, liez les paramètres et appelez les instructions préparées à Éviter les attaques par injection sql . Les mots de passe ne doivent jamais être enregistrés en clair (texte clair) dans les bases de données. Au contraire, ils doivent être envoyés via des hachages à sens unique.

A noter également. Cela montre le hachage d'enregistrement et la vérification de connexion. Ce n'est pas complet fonctionnalité que j'essaie de mettre sur codecanyon pour dix dollars ... de sorte qu'il montre qu'un réenregistrement d'une adresse e-mail (le login) existe déjà, fait des mises à jour, attention. Dans ce cas, l'insertion échouera simplement en raison de la clé unique définie en place dans la base de données. Je vous laisse, le lecteur, faire la recherche et dire "e-mail déjà enregistré".

Schéma

CREATE TABLE `user_accounts2` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `email` varchar(100) NOT NULL,
  `password` varchar(255) NOT NULL,
  PRIMARY KEY (`id`),
  unique key(email) -- that better be the case
) ENGINE=InnoDB;

Après avoir parcouru register.php et enregistré un utilisateur, les données peuvent ressembler à ceci :

select * from user_accounts2;
+----+-----------+--------------------------------------------------------------+
| id | email     | password                                                     |
+----+-----------+--------------------------------------------------------------+
|  1 | [email protected]   | $2y$10$U6.WR.tiOIYNGDWddfT7kevJU8uiz8KAkdxXpda9e1xuplhC/eTJS |
+----+-----------+--------------------------------------------------------------+

section mysqli en premier

register.php

<?php
    mysqli_report(MYSQLI_REPORT_ALL);
    error_reporting(E_ALL); // report all PHP errors
    ini_set("display_errors", 1); // display them
    session_start();

    if(isset($_SESSION['userid'])!="") {
        // you are already logged in as session has been set
        header("Location: safe.php");   // note that this re-direct will at the top of that page
        // ... and there to verify the session state so no tricks can be performed
        // no tricks and gimmicks
    }

    if(isset($_POST['register'])) {
        $email = $_POST['email'];
        $ctPassword = $_POST['password'];   // cleartext password from user
        $hp=password_hash($ctPassword,PASSWORD_DEFAULT); // hashed password using cleartext one

        // pretend the following is locked in a vault and loaded but hard coded here
        $host="yourhostname";
        $dbname="dbname";
        $user="dbuser";
        $pwd="password";
        $port=3306; // comes along for the ride so I don't need to look up param order below
        // end pretend

        try {
            $mysqli= new mysqli($host, $user, $pwd, $dbname,$port);
            if ($mysqli->connect_error) {
                die('Connect Error (' . $mysqli->connect_errno . ') ' . $mysqli->connect_error);
            }
            //echo "I am connected and feel happy.<br/>";
            $query = "INSERT INTO user_accounts2(email,password) VALUES (?,?)";
            $stmt = $mysqli->prepare($query);

            // note the 2 s's below, s is for string
            $stmt->bind_param("ss", $email,$hp);    // never ever use non-sanitized user supplied data. Bind it
            $stmt->execute();
            // password is saved as hashed, will be verified on login page with password_verify()
            $iLastInsertId=$mysqli->insert_id;  // do something special with this (or not)
            // redirect to some login page (for now you just sit here)
            $stmt->close(); 
            $mysqli->close();
        } catch (mysqli_sql_exception $e) { 
            throw $e; 
        } 
    }
?>
<html>
<head>
<title>Register new user</title>
</head>
<body>
<div id="reg-form">
<form method="post">
    <table>
        <tr>
        <td><input type="email" name="email" placeholder="Email" required /></td>
        </tr>
        <tr>
        <td><input type="password" name="password" placeholder="Password" required /></td>
        </tr>
        <tr>
        <td><button type="submit" name="register">Register</button></td>
        </tr>
        <tr>
        <td><a href="index.php">Normal Login In Here</a></td>
        </tr>
    </table>
</form>
</div>
</body>
</html>

login.php

<?php
    mysqli_report(MYSQLI_REPORT_ALL);
    error_reporting(E_ALL); // report all PHP errors
    ini_set("display_errors", 1); // display them
    session_start();

    if(isset($_SESSION['userid'])!="") {
        // you are already logged in as session has been set
        header("Location: safe.php");   // note that this re-direct will at the top of that page
        // ... and there to verify the session state so no tricks can be performed
        // no tricks and gimmicks
    }

    if(isset($_POST['login'])) {
        $email = $_POST['email'];
        $ctPassword = $_POST['password'];   // cleartext password from user

        // pretend the following is locked in a vault and loaded but hard coded here
        $host="yourhostname";
        $dbname="dbname";
        $user="dbuser";
        $pwd="password";
        $port=3306; // comes along for the ride so I don't need to look up param order below
        // end pretend

        try {
            $mysqli= new mysqli($host, $user, $pwd, $dbname,$port);
            if ($mysqli->connect_error) {
                die('Connect Error (' . $mysqli->connect_errno . ') ' . $mysqli->connect_error);
            }
            //echo "I am connected and feel happy.<br/>";
            $query = "select id,email,password from user_accounts2 where email=?";
            $stmt = $mysqli->prepare($query);

            // note the "s" below, s is for string
            $stmt->bind_param("s", $email); // never ever use non-sanitized user supplied data. Bind it
            $stmt->execute();
            $result = $stmt->get_result();
            if ($row = $result->fetch_array(MYSQLI_ASSOC)) {
                $dbHashedPassword=$row['password'];
                if (password_verify($ctPassword,$dbHashedPassword)) {
                    echo "right, userid=";
                    $_SESSION['userid']=$row['id'];
                    echo $_SESSION['userid'];
                    // redirect to safe.php (note safeguards verbiage at top of this file about it)
                }
                else {
                    echo "wrong";
                    // could be overkill here, but in logout.php
                    // clear the $_SESSION['userid']
                }
            }
            else {
                echo 'no such record';
            }
            // remember, there is no iterating through rows, since there is 1 or 0 (email has a unique key)
            // also, hashes are one-way functions in the db. Once you hash and do the insert
            // there is pretty much no coming back to cleartext from the db with it. you just VERIFY it

            $stmt->close(); 
            $mysqli->close();
        } catch (mysqli_sql_exception $e) { 
            throw $e; 
        } 
    }
?>
<html>
<head>
<title>Login</title>
</head>
<body>
<div id="reg-form">
<form method="post">
    <table>
        <tr>
        <td><input type="email" name="email" placeholder="Email" required /></td>
        </tr>
        <tr>
        <td><input type="password" name="password" placeholder="Password" required /></td>
        </tr>
        <tr>
        <td><button type="submit" name="login">Login</button></td>
        </tr>
    </table>
</form>
</div>
</body>
</html>

section aop ci-dessous

Quand j'aurai le temps, probablement demain, mais pour l'instant je vous indique cette Ma réponse .