$row = mysql_fetch_array
应该$row = mysqli_fetch_array
正如其他人已经提到的,使用
if(isset($_POST['user']) && isset($_POST['password'])) {
// your code here
}
顺便说一句:使用只说“loggedin = true”或“login = yes”等的会话绝对不安全
编辑(安全讨论):
密码应始终加密保存(注册):
function login($email, $password) {
$email = mysql_real_escape_string($email);
$q = "SELECT id, email, password, salt FROM members WHERE email='" . $email . "'";
$result = mysql_query($q, $this->connection);
$output = mysql_fetch_assoc($result);
$user_id = $output['id'];
$database_username = $output['username'];
$database_email = $output['email'];
$database_password = $output['password'];
$password = hash('sha512', $password);
if($database_password == $password) {
$user_browser = $_SERVER['HTTP_USER_AGENT'];
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
$_SESSION['user_id'] = $user_id;
$_SESSION['username'] = $email;
$login_hash = hash('sha512', $password.$user_browser);
$_SESSION['login_hash'] = $login_hash;
} else {
return false;
}
} // function
function login_check() {
$user_id = $_SESSION["user_id"];
$login_hash = $_SESSION["login_hash"];
$email = $_SESSION["username"];
$user_browser = $_SERVER['HTTP_USER_AGENT'];
$q = "SELECT password FROM members WHERE id ='" . $user_id . "'";
$result = mysql_query($q, $this->connection);
$output = mysql_fetch_assoc($result);
$database_password = $output['password'];
if(mysql_num_rows($result) == 1) {
$login_check = hash('sha512', $database_password.$user_browser);
if($login_check == $login_hash) {
return true;
} else {
return false;
}
} else {
return false;
}
}
此外,您可以为每个用户创建一个随机盐(注册),以将您的安全级别设置得更高一点(注意:hash(hash(hash(...)))会降低您的安全级别,因为您在哈希过程中丢失了信息过程)
注意:这只是一个具有高安全级别的(工作)示例登录/检查脚本。这个脚本仍然可以改进(暴力破解、mysqli/准备好的语句、直接在表单中散列密码、安全会话……)