PHP 令牌没有给出正确的错误
PHP token not giving a correct error
我的令牌表单有点问题。出于某种原因,它不会检查 post 令牌是否等于会话令牌,所以我不确定它是否有效。
我打印了 POST 和 SESSION 标记来检查它们是否匹配,它们匹配。所以目前我没有想法。
<?php
session_start();
$token = md5(uniqid(rand(), TRUE));
$_SESSION['token'] = $token;
$_SESSION['token_time'] = time();
include_once('includes/connection.php');
if (isset($_SESSION['logged_in'])) {
?>
//loggedin
<?php
} else {
if (isset($_POST['username'], $_POST['password'])) {
$username = $_POST['username'];
$password = md5($_POST['password']);
$token2 = $_POST['token'];
if ($token2 != $token) {
$error ='Error';
echo $token2;
}
if (empty($username) or empty($password)) {
$error = 'Insert data!';
} else {
$query = $pdo->prepare("SELECT * FROM users WHERE user_name = ? AND user_pass = ?");
$query->bindValue(1, $username);
$query->bindValue(2, $password);
$query->execute();
$num = $query->rowCount();
if ($num == 1) {
$_SESSION['logged_in'] = true;
header('Location: index.php');
exit();
} else {
$error = 'Wrong data';
}
}
}
<?php if (isset($error)) { ?>
<small style="color:#aa0000;"><?php echo $error; ?>
<br /><br />
<?php } ?>
<form action="index.php" method="post" autocomplete="off">
<input type="text" name="username" placeholder="Username" />
<input type="password" name="password" placeholder="Password" />
<input type="text" name="token" value="<?php echo $token; ?>" />
<input type="submit" value="Sisene" />
</form>
您正在为每个请求重新定义令牌:
session_start();
$token = md5(uniqid(rand(), TRUE));
$_SESSION['token'] = $token;
您可以做的是:
session_start();
if(empty($_SESSION['token'])) {
$token = md5(uniqid(rand(), TRUE));
$_SESSION['token'] = $token;
}
else {
$token = $_SESSION['token'];
}
提交表单后生成一个新的$_SESSION['token'] = $token;,所以if ($token2 != $token)总是错误的。
您可以在生成新的之前检查是否设置了 $_SESSION['token'] = $token;。
我的令牌表单有点问题。出于某种原因,它不会检查 post 令牌是否等于会话令牌,所以我不确定它是否有效。 我打印了 POST 和 SESSION 标记来检查它们是否匹配,它们匹配。所以目前我没有想法。
<?php
session_start();
$token = md5(uniqid(rand(), TRUE));
$_SESSION['token'] = $token;
$_SESSION['token_time'] = time();
include_once('includes/connection.php');
if (isset($_SESSION['logged_in'])) {
?>
//loggedin
<?php
} else {
if (isset($_POST['username'], $_POST['password'])) {
$username = $_POST['username'];
$password = md5($_POST['password']);
$token2 = $_POST['token'];
if ($token2 != $token) {
$error ='Error';
echo $token2;
}
if (empty($username) or empty($password)) {
$error = 'Insert data!';
} else {
$query = $pdo->prepare("SELECT * FROM users WHERE user_name = ? AND user_pass = ?");
$query->bindValue(1, $username);
$query->bindValue(2, $password);
$query->execute();
$num = $query->rowCount();
if ($num == 1) {
$_SESSION['logged_in'] = true;
header('Location: index.php');
exit();
} else {
$error = 'Wrong data';
}
}
}
<?php if (isset($error)) { ?>
<small style="color:#aa0000;"><?php echo $error; ?>
<br /><br />
<?php } ?>
<form action="index.php" method="post" autocomplete="off">
<input type="text" name="username" placeholder="Username" />
<input type="password" name="password" placeholder="Password" />
<input type="text" name="token" value="<?php echo $token; ?>" />
<input type="submit" value="Sisene" />
</form>
您正在为每个请求重新定义令牌:
session_start();
$token = md5(uniqid(rand(), TRUE));
$_SESSION['token'] = $token;
您可以做的是:
session_start();
if(empty($_SESSION['token'])) {
$token = md5(uniqid(rand(), TRUE));
$_SESSION['token'] = $token;
}
else {
$token = $_SESSION['token'];
}
提交表单后生成一个新的$_SESSION['token'] = $token;,所以if ($token2 != $token)总是错误的。
您可以在生成新的之前检查是否设置了 $_SESSION['token'] = $token;。