2016-09-14 7 views
0

私はこれまでに別のウェブサイトでこのログイン/登録コードを使用していましたが、それを新しいものに追加すると、URLに情報が表示されます(/signin?username=&password=) CSSとHTML以外の古いウェブサイト、form="post" action =""とコードは私の古いウェブサイトから直接コピーされます。サインイン情報をURLに

誰かが問題の原因を突き止めることができ、die()がないとログインエラーを表示する方法を解決できますか?

*<!DOCTYPE html> 
<html> 
<head> 

    <?php include $_SERVER["DOCUMENT_ROOT"] . "/assets/head.php"; ?> 
    <title><?php echo $address; ?> - Sign In</title> 
</head> 
<body> 
    <?php include $_SERVER["DOCUMENT_ROOT"] . "/navigationbar.php"; ?> 

<div class="wrapper"> 

<div class="small-banner"> 
    <div id="animate-area"></div> 
</div> 

    <div class="tabs" id="tabs"> 
     <h1>Sign In</h1> 
     <div class="p">  

<?php 
    // This variable will be used to re-display the user's username to them in the 
    // login form if they fail to enter the correct password. It is initialized here 
    // to an empty value, which will be shown if the user has not submitted the form. 
    $submitted_username = ''; 

    // This if statement checks to determine whether the login form has been submitted 
    // If it has, then the login code is run, otherwise the form is displayed 
    if(!empty($_POST)) 
    { 
     // This query retreives the user's information from the database using 
     // their username. 
     $query = " 
      SELECT 
       * 
      FROM users 
       WHERE 
       username = :username 
     "; 

     // The parameter values 
     $query_params = array( 
      ':username' => $_POST['username'] 
     ); 

     try 
     { 
      // Execute the query against the database 
      $stmt = $db->prepare($query); 
      $result = $stmt->execute($query_params); 
     } 
     catch(PDOException $ex) 
     { 
      // Note: On a production website, you should not output $ex->getMessage(). 
      // It may provide an attacker with helpful information about your code. 
      die("<div class='red'>Failed to run query: </div>" . $ex->getMessage()); 
     } 

     // This variable tells us whether the user has successfully logged in or not. 
     // We initialize it to false, assuming they have not. 
     // If we determine that they have entered the right details, then we switch it to true. 
     $login_ok = false; 

     // Retrieve the user data from the database. If $row is false, then the username 
     // they entered is not registered. 
     $row = $stmt->fetch(); 
     if($row) 
     { 
      // Using the password submitted by the user and the salt stored in the database, 
      // we now check to see whether the passwords match by hashing the submitted password 
      // and comparing it to the hashed version already stored in the database. 
      $check_password = hash('sha256', $_POST['password'] . $row['salt']); 
      for($round = 0; $round < 65536; $round++) 
      { 
       $check_password = hash('sha256', $check_password . $row['salt']); 
      } 

      if($check_password === $row['password']) 
      { 
       // If they do, then we flip this to true 
       $login_ok = true; 
      } 
     } 

     // If the user logged in successfully, then we send them to the private members-only page 
     // Otherwise, we display a login failed message and show the login form again 
     if($login_ok) 
     {  
      // Here I am preparing to store the $row array into the $_SESSION by 
      // removing the salt and password values from it. Although $_SESSION is 
      // stored on the server-side, there is no reason to store sensitive values 
      // in it unless you have to. Thus, it is best practice to remove these 
      // sensitive values first. 
      unset($row['salt']); 
      unset($row['password']); 

      // This stores the user's data into the session at the index 'user'. 
      // We will check this index on the private members-only page to determine whether 
      // or not the user is logged in. We can also use it to retrieve 
      // the user's details. 
      $_SESSION['user'] = $row; 

      $username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8'); 
      $last_life_update = "UPDATE users SET last_life = now() WHERE username = '$username'"; 
      $db->query($last_life_update); 
      // Redirect the user to the private members-only page. 
      header("Location: /"); 
      die("Redirecting to: /");  
     } 
     else 
     { 
      // Tell the user they failed 
      print("<div class='red'>Login Failed.</div>"); 

      // Show them their username again so all they have to do is enter a new 
      // password. The use of htmlentities prevents XSS attacks. You should 
      // always use htmlentities on user submitted values before displaying them 
      // to any users (including the user that submitted them). For more information: 
      // http://en.wikipedia.org/wiki/XSS_attack 
      $submitted_username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8'); 
     } 
    } 
?> 
      <form mathod="post" action="" style="margin:20px;"> 
       <label for="username">Username :</label><br /> 
        <input type="text" name="username" maxlength="64" id="username" placeholder="Username" class="input-long" readonly onfocus="this.removeAttribute('readonly');"/> 
       <div class="clear-top"></div> 

       <label for="password">Password :</label><br /> 
        <input type="password" name="password" id="password" placeholder="Password" class="input-long" readonly onfocus="this.removeAttribute('readonly') ;"/> 
       <div class="clear-top"></div> 

       <label><input type="checkbox" name="sport[]" value="remember" /> Remember Password</label> 
        <div class="clear-top"></div> 

       <input type="submit" value="Sign In" class="btn"/><br /> 

       <a href="/forgot-password" class="link"><i style="color:#777f8c;">(Forgot password)</i></a> 
      </form> 
     </div> 
    </div>  
</div> 

<div style="position:relative; clear:both;"></div>  
     <!--</body>--> 
    <?php include $_SERVER["DOCUMENT_ROOT"] . "/footer.php"; ?> 
</body> 
</html>* 

答えて

1

あなたは、デフォルトのタイプは、フォームパラメータがURLであることにつながることになるGETです

<form mathod="post" action="" style="margin:20px;"> 

に 'メソッド' をtypo'ed。

+0

今は愚かな感じです。助けてくれてありがとう。 –

関連する問題