Answer the question
In order to leave comments, you need to log in
Where is the error in the authorization script?
Wrote a lightweight authorization system for OPP, which in turn works on sessions.
Actually the function itself.
function login() {
if (!empty($_POST)) {
$login = mysql_real_escape_string(htmlspecialchars($_POST['login'])); //немного профильтруем логин
$password = md5($_POST['password']); //хешируем пароль т.к. в базе именно хеш
$user = $this->db->query("SELECT * FROM rust_users WHERE login = ? AND password = ?",$login,$password)->assoc();
if (mysql_num_rows($user) == 1) {
$row = mysql_fetch_assoc($user);
$_SESSION['id'] == $row['id'];
$_SESSION['login'] == $row['login'];
setcookie("CookieMy", $row['id'], time()+60*60*24*10);
//header("Location: /");
} else
$this->error = 'Неправильный емейл или пароль';
}
$this->out('login.php');
}
Answer the question
In order to leave comments, you need to log in
Why are you trying to mix PDO and mysql_ functions?
And by what principle do you expose the indentation of the lines? Why do they jump so strangely and unpredictably?
What OOP, what are you talking about? Mysql_* functions are everywhere.
discard md5. password_hash
htmlspecialchars to what? mysql_real_escape_string is also in the trash. PDO itself escapes when substituting a variable in place ?
Edit :
mysql/mysqli have nothing to do with PDO.
1. When using prepared expressions (i.e. '?' in place of the parameter value in the query), no mysql_real_escape_string and other escaping functions are NEEDED !
There should be only: $login = htmlspecialchars(trim($_POST['login']));
2. There is a special crypt function for hashing a password. And new versions of PHP have a whole set of functions ru2.php.net/manual/ru/ref.password.php . When hashing, a salt must be added to the password.
3. If utf-8 (or another Unicode variant) is used, then the login needs to be further normalized - so that there are no different logins that look exactly the same on the outside:
$login = htmlspecialchars(trim(Normalizer::normalize($_POST['login'], Normalizer::FORM_KC)));
Most likely $user already has a ready-made array. And for mysql_num_rows you need an open connection to the database and a query. In the engine, most likely, the connection is already closed.
Try to replace
if (mysql_num_rows($user) == 1) {
with
if (count($user) == 1) {
And then, accordingly, work with the $user array
Instead:
$row = mysql_fetch_assoc($user);
$_SESSION['id'] == $row['id'];
do something like this
$_SESSION['id'] = $user['id']; (one equal sign to assign)
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question