私は、W3Schoolsサイトの数冊の本から、Stack Overflowの多数の投稿を使用して、自分自身にPHPを教えてきました。
何かを実践するために、ユーザー認証システムを実装する小さな画像ギャラリーを作成しようとしています。ユーザーには、読み取り、読み取り、書き込みアクセス権があるかどうか、または他のユーザーを管理できるかどうかを決定するセキュリティアクセス権があります。私はログインとユーザーのものの追加までしか取得していません。
私は自分の仕事をモデルにしており、全員が一意の従業員IDと8桁の電子メールIDを持っています。
私はこれがロングショットであることを知っていますが、誰かが私のコードが正しい方向に進んでいるかどうかを見て、教えてくれるだろうかと思っています。このような「現実世界」をまとめるのは、本で提供されている基本的な例とは大きく異なります。コメントや提案をいただければ幸いです。
login.php
<!DOCTYPE html>
<?php
// Connect to the database
include('./helpers/db.php');
include('./helpers/general.php');
// Check if the user has submitted their details.
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$loginId = htmlspecialchars(($_POST['userId']));
$loginPass = htmlspecialchars(sha1($_POST['password']));
// Check if they've submitted blank details.
if (!checkLoginId($loginId) || (!checkPassword($_POST['password']))) {
$errorMsg = "Please enter a valid username or password!";
}
else {
// Select the details we want for the session info.
$stmt = $dbh->prepare("SELECT firstName, lastName, securityLevel FROM
userDetails WHERE registeredNumber = :loginId
AND password = :loginPass" );
$stmt->bindParam(':loginId', $loginId);
$stmt->bindParam(':loginPass', $loginPass);
$stmt->execute();
// Make sure the user is found, and that there security level is 1 or more.
if ($stmt->rowCount() > 0) {
$userDetails = $stmt->fetch();
if ($userDetails['securityLevel'] < 1) {
$errorMsg = "Insufficient access for this user.";
}
else {
// Start a new session and set up the regularly used info.
session_start();
$_SESSION['loggedIn'] = 1;
$_SESSION['userID'] = $loginId;
$_SESSION['fname'] = $userDetails['firstName'];
$_SESSION['lname'] = $userDetails['lastName'];
$_SESSION['security'] = $userDetails['securityLevel'];
header("Location: ./browser/");
}
}
else {
$errorMsg = "Invalid User ID or Password!";
}
}
}
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title></title>
</head>
<style type="text/css">
body {font-family:sans-serif;}
.warning {color:red;font-weight:bold;}
#login {margin-left:auto;margin-right:auto;width:200px;border-style:solid;border-width:1px;padding:20px;}
</style>
<body>
<!-- Display the login form -->
<div id="login">
<form action="login.php" method="POST">
<?php
if (isset($errorMsg)) {
echo '<span class="warning">'. $errorMsg . '</span>';
}
?>
<p><label for="userId">User Name:</label><br />
<input type="text" maxlength="5" name="userId"
title="Enter your User ID:">
</p>
<p><label for="pasword">Password:</label><br/>
<input type="password" maxlength="12" name="password"
title="Enter your password:"/>
</p>
<p><input id="submit" type="submit" name="submit" value="Submit"></p>
</form>
</div>
</body>
db.php
<?php
$hostname = 'localhost';
$dbname = 'dam';
$dbuser = 'root';
$dbpass = '****';
// Try and connect to the database and catch the error if it doesn't work.
try
{
$dbh = new PDO("mysql:host=$hostname;dbname=$dbname", $dbuser, $dbpass);
echo "Connected to Database<br/>";
}
catch (PDOException $e)
{
print "Error! " . $e->getMessage() . '<br/>';
die();
}
?>
general.php
<?php
// Checks wether the loginID/Registered Number is valid
function checkLoginId($login) {
if ($login == '' || $login == NULL || (!is_numeric($login))) {
return 0;
}
else return 1;
}
// Checks whether the password is valid
function checkPassword($password) {
if ($password == '' || $password == NULL) {
return 0;
}
else return 1;
}
function verifyNewUser($userID, $upass, $fname, $lname, $email) {
$hasErrors = 0;
$errorMsg = array();
if ($userID == '' || $userID == NULL || (!is_numeric($userID)) || (strlen($userID) != 5)) {
$hasErrors++;
$errorMsg[] = "User ID is either missing, or does not have 5 digits";
}
if ($upass == '' || $upass == NULL || (strlen($upass) < 6)) {
$hasErrors++;
$errorMsg[] = "Password is either missing, or does not meet minimum length of six";
}
if ($fname == '' || $fname == NULL || empty($fname)) {
$hasErrors++;
$errorMsg[] = "First name is missing.";
}
if ($lname == '' || $lname == NULL || empty($lname)) {
$hasErrors++;
$errorMsg[] = "Last name is missing.";
}
if ($email == '' || $email == NULL || empty($email) || (strlen($email) != 8)) {
$hasErrors++;
$errorMsg[] = "Check email id, should be 8 characters.";
}
if ($hasErrors == 0) {
return 1;
}
else {
echo "Returning with errors<br/>";
return $errorMsg;
}
}
?>
adduser.php
include ("./helpers/general.php");
include('./helpers/db.php');
session_start();
// If the user isn't logged in, send them away...
if (!(isset($_SESSION['loggedIn']) && $_SESSION['loggedIn'] != '')) {
header("Location: ./login.php");
exit();
}
// Get the users full name so we can politely tell them to rack off if they
// don't have sufficient access to add users.
$uname = $_SESSION['fname'] . ' ' . $_SESSION['lname'];
// Check if the user has the security clearence to add a new user:
if ($_SESSION['security'] != 4) {
echo "Sorry $uname, only level 4 administrators can manage users.<br/>";
echo '<a href="./browser/">Back to Browser</a>';
exit();
}
// Check if they have submitted the form and validate the input
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$userID = htmlspecialchars($_POST['registeredNumber']);
$upass = htmlspecialchars($_POST['password']);
$fname = ucfirst(htmlspecialchars($_POST['firstName']));
$lname = ucfirst(htmlspecialchars($_POST['lastName']));
$email = htmlspecialchars($_POST['emailID']);
$secLev = $_POST['securityLevel'];
$creator = $_SESSION['userID'];
$valid = verifyNewUser($userID, $upass, $fname, $lname, $email);
if ($valid == 1) {
// Encrypt the password
$upass = sha1($upass);
// Create the array to feed the SQL statement.
$data = array($userID, $upass, $fname, $lname, $email, $secLev, date('Y-m-d H:i:s'), $creator);
$dbh->beginTransaction();
$stmt = $dbh->prepare("INSERT INTO userDetails VALUES('', ?, ?, ?, ?, ?, ?, ?, ?)");
$stmt->execute($data);
$dbh->commit();
if ($stmt->rowCount() > 0) {
echo "Success, new user $fname $lname added!<br/>";
echo "Email ID: $email<br/>";
echo "Security Level: $secLev<br/>";
}
}
else if (isset($valid)) {
foreach($valid as $error) {
echo '<span style="color:red;font-weight:bold">' . $error . "<span><br/>";
}
}
}
?>
<!DOCTYPE html>
<html>
<head>
<title>Add A New User</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<form action="adduser.php" method="post">
<table>
<tr>
<td><label for="registeredNumber">Registered Number:</label></td>
<td><input type="text" maxlength="5" name="registeredNumber"/></td>
</tr>
<tr>
<td><label for="password">Password:</label></td>
<td><input type="password" maxlength="12" name="password"/></td>
</tr>
<tr>
<td><label for="firstName">First Name:</label></td>
<td><input type="text" maxlength="20" name="firstName"/></td>
</tr>
<tr>
<td><label for="lastName">Last Name:</label></td>
<td><input type="text" maxlength="20" name="lastName"/></td>
</tr>
<tr>
<td><label for="emailID">Email ID:</label></td>
<td><input type="text" maxlength="8" name="emailID"/></td>
</tr>
<tr>
<td><label for="securityLevel">Security Level:</label></td>
<td>
<select name="securityLevel">
<option value="0" selected="selected">0 - No Access</option>
<option value="1">1 - Read Access</option>
<option value="2">2 - Read/Write Access</option>
<option value="3">3 - Read/Write/Delete Access</option>
<option value="4">4 - User Administrator</option>
</select>
</td>
</tr>
</table>
<input type="submit" name="submit" value="Submit"/>
</form>
</body>
</html>
logout.php
<?php
// Destroy the session and go to the login screen.
session_start();
session_destroy();
header("Location: login.php");
?>