Til dette eksempel vil jeg udelade forberedte udsagn, men du bliver nødt til at lave nogle undersøgelser om forebyggelse af SQL-injektion.
Først skal du bruge en formular, som brugeren kan bruge til at logge på. Her er en grundlæggende formular, der vil være på en side kaldet NewUser.html:
<form action="AddUser.php" method="POST">
<p>Enter A Username: </p>
<input type="text" name="User" maxlength="20" size="10">
<br />
<p>Enter A Password: </p>
<input type="password" name="Password" maxlength="40" size="10">
<br />
<p>Enter Password Again: </p>
<input type="password" name="PasswordX2" maxlength="40" size="10">
<br />
<input type="submit" value="Create Account">
</form>
Du kan selvfølgelig tilføje andre felter såsom e-mailadresse osv. - men jeg holder det enkelt.
Lad os nu gå til siden AddUser.php:
<?php
//Now let's grab our $_POST data from our form and assign them to variables...
$User = $_POST['User'];
$PW = $_POST['Password'];
$PW2 = $_POST['PasswordX2'];
//Check whether user put anything in the fields for user or passwords
if (!$User || !$PW || !$PW2) {
echo "You have not entered all the needed info. Please try again.";
exit();
}
//Check if passwords match
if ($PW <> $PW2) {
echo "Your passwords do not match. Please go back and try again.";
exit();
}
//Now we want to be good stewards of passwords and information so let's hash that password
$hash = password_hash($PW, PASSWORD_BCRYPT);
//Open your connection to database
$dbconnect-> blah blah(make your database connection here)....
//Now let's insert the new user into the database - remember do not do this without SQL-injection prevention. I'm just giving you the basics.
$sql = "INSERT INTO UsersTable (UserName, Password)
VALUES ('".$User."', '".$hash."')";
//Verify Successful Entry
if (mysqli_query($dbconnect,$sql)) {
echo "User Added Successfully";
} else {
echo "Error Creating User: " . mysqli_error($dbconnect);
}
echo "<br /><p>Please go to the main page to login now.</p>";
?>
Så brugeren er nu oprettet, adgangskoden er hashed med salt og indsat i DB... glem seriøst ikke SQL-injektion.
Nu har du en formular, der minder meget om NewUser.html-formularen til at logge på, men den kræver ikke, at adgangskoden indtastes to gange. Lad os sige, at login-formularen sender brugeren til en side kaldet login.php:
<?php
session_start(); //starts a session for tracking user on each page - this has to be on every page
//Let's get our variables from the POST data- will be identical to before most likely
$User = $_POST['User'];
$PW = $_POST['Password'];
//Open your connection to database
$dbconnect-> blah blah(make your database connection here)....
//Let's see if the username and password matches what we have in the database
$sql = "SELECT UsersTable.UserName, UsersTable.Password
FROM UsersTable
WHERE UsersTable.UserName = '$User'";
$result = $dbconnect->query($sql);
//Let's get the hashed password that corresponds to that username
$row = $result->fetch_assoc();
$HashedPassword = $row['Password'];
//Let's verify the password is correct
if (password_verify($PW, $HashedPassword))
{
//if it is correct(true) this will now happen
$_SESSION['verified_user'] = $User; //registers user by storing it in a SESSION
}
else {
echo "Login failed. Try again.";
exit();
}
?>
Bare et tip, hvis du vil tilføje adgangsniveauer, kan du gemme et sted i databasen med et adgangsnummer (f.eks.:1, 2, 3), og når du har logget ind, vil du tildele en anden $_SESSION, der repræsenterer deres adgangsniveau og giver dem adgang til visse sektioner, du tillader.
Når de nu navigerer til andre sider på dit websted, vil deres session blive bekræftet på denne måde:
EksempelPage.php
<?php
session_start();
if (isset($_SESSION['verified_user'])) {
//User is verified and whatever is here will be visible and happen- YAY!
}
else {
echo "You are not logged in and cannot see this page.";
}
?>
Du skal bare vænne dig til at starte en session på hver side, hvor adgang kun er tilladt af dem, der er logget ind. Sessioner huskes fra side til side.
Glem ikke at give dem en logout-side, som vil ødelægge sessionen:logout.php
<?php
session_start();
unset($_SESSION['verified_user']);
session_destroy();
echo "You are logged out.";
?>