“动力学”会议

发布于 2024-11-09 09:51:13 字数 1213 浏览 4 评论 0原文

我们有一个由 php 和 ajax 处理的登录表单。 ajax 向 php 页面发送一个请求,其中包含要登录的用户名和密码。它会收到响应,如果正确并且工作信息正确,则会将其记录到:

接受请求的 php 页面具有以下代码:

        echo (checkLogin($_POST['user'], $_POST['pass']) ? 'true' : 'false');
        if(checkLogin($_POST['user'], $_POST['pass']) == true)
        logIn($_POST['user'], $_POST['pass']);

中使用的函数该声明:

function logIn($user, $pass)
    {
            $_SESSION['sid'] = md5(md5($user) . md5($pass));
            $_SESSION['username'] = $user;
            $_SESSION['password'] = $pass;
    }

    function checkLogin($user, $pass)
    {
        $user = strtolower($user);
        $pass = strtolower($pass);

        $res = mysql_query("SELECT * FROM users WHERE username='".$user."'");
        if(mysql_num_rows($res) == 1)
        {
            $data = mysql_fetch_assoc($res);
            if($data['pass'] == aCrypt($pass))
            {
                return true;
            }
            else
            {
                return false;
            }
        }
        else
        {
            return false;           
        }
    }

现在,会话似乎已启动,并且只能在用户重新加载页面后才能看到。我们需要它在页面上启动会话...我们需要使用 ajax 刷新整个页面吗?我真的不知道从这里该去哪里。

We have a login form that is processed by php and ajax. The ajax sends a request to the php page with the username and password to be logged in. It gets a response and if it's correct and working info, it logs them in:

The php page that takes requests has this code:

        echo (checkLogin($_POST['user'], $_POST['pass']) ? 'true' : 'false');
        if(checkLogin($_POST['user'], $_POST['pass']) == true)
        logIn($_POST['user'], $_POST['pass']);

The functions used in that statement:

function logIn($user, $pass)
    {
            $_SESSION['sid'] = md5(md5($user) . md5($pass));
            $_SESSION['username'] = $user;
            $_SESSION['password'] = $pass;
    }

    function checkLogin($user, $pass)
    {
        $user = strtolower($user);
        $pass = strtolower($pass);

        $res = mysql_query("SELECT * FROM users WHERE username='".$user."'");
        if(mysql_num_rows($res) == 1)
        {
            $data = mysql_fetch_assoc($res);
            if($data['pass'] == aCrypt($pass))
            {
                return true;
            }
            else
            {
                return false;
            }
        }
        else
        {
            return false;           
        }
    }

Now, it seems that the session is started and only able to be seen AFTER the user reloads the page. We need it to start the session right on the page...would we need to refresh the entire page with ajax? I don't really know where to go from here.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

新雨望断虹 2024-11-16 09:51:13

您可能想使用 Post-Redirect-Get 模式;用户成功通过身份验证后,使用重定向将其发送到新页面。

正如我上面提到的,请考虑修复代码中的 SQL 注入和会话固定漏洞。

You probably want to use the Post-Redirect-Get pattern; after the user is successfully authenticated, use a redirect to send him to a new page.

As I noted above, please look into fixing the SQL injection and session fixation vulnerabilities in your code as well.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文