PHP 2 people logging in at the same time from the same computer_问答_开发者

I have a login script that should check for 2 people login in at the same time it compares the usernames and the password in the mysql server if the user exists

//Player 1 Login username and password
$p1name = $_POST['p1name'];
$p1pass = $_POST['p1pass'];

//player 2 Login username and password
$p2name = $_POST['p2name'];
$p2pass = $_POST['p2pass'];






$connection = mysql_connect("db_host", "db_user", "db_pass");
mysql_select_db("db_name", $connection);





 get_user($p1name, $p1pass);
 get_user($p2name, $p2pass);

$row = $result;
$found = false;

    if(($row["username"] == $p1name && $row["password"] == sha1("$p1pass")) && ($row["username"] == $p2name && $row["password"] == sha1("$p2pass"))){
            $found = true;
            break;
        }


function get_user($username, $password) {
    $query = 'SELECT * FROM users';
    $query .= ' 开发者_JAVA百科WHERE username = ' . mysql_real_escape_string($username);
    $query .= ' AND password = ' . mysql_real_escape_string(sha1($password));
    $result = mysql_query($query);
    return mysql_fetch_assoc($result);
}

You're using = instead of === (or, if you must, ==). = is the assignment operator in PHP; === and == are equality operators.
You're comparing the same username to both $p1name and $p2name. Unless those two variables are the same, the expression (after correcting (1) above) will never evaluate to true.

You're looping instead of using SQL to loop for you. For example:

function get_user($username, $password) {
    $query = 'SELECT * FROM users';
    $query .= ' WHERE username = ' . mysql_real_escape_string($username);
    $query .= ' AND password = ' . mysql_real_escape_string(sha1($password));
    $result = mysql_query($query);
    return mysql_fetch_assoc($result);
 }

As for knowing when two people "on the same computer" are trying to join the same game (or whatever), it's common to instead to provide a game ID. Users can then join a game by connecting using that game ID, often by accessing a certain URL.

After a user logs in, they'll be given the option to start a game. When they do, provide the game ID in the URL as a GET parameter (e.g. mysite/game.php?gameid=2153259). (You may want to use random ID's or something for the game ID to prevent other players from joining the game "accidentally".) The "host" can then give the URL to someone else, and then the new user is entered into the game (perhaps after being asked).

I would use a query to check user name and password against such a table all in one go, not by getting the table,looping through and testing each field.

What if you have 100,000 users using your method? it would be slow,inefficient and what if someone changes their password whilst your script is chugging through 100,000 users checking them? they would be able to log on to more machines because the machines checking would already have old data in memory.

If you are only allowed to login to one computer and this stays true you could add login/logoff timestamps, status and a computer name fields to manage the rest. Personally i would keep that data separate table.

But i think you should also ask yourself how your going to deal with logoff's and logoff time-outs.

On the users table, have two fields, one to specify if is logged in, and another that specifies the ip used to login.

When the user logs in, also save that information to a session variable.

Then, when a user does some action on the game, compare what is in the session to what is on the database. If it is different, then the user has logged in in another computer, and you should log him out from the current location.

To check if multiple users are using the same computer, check the ip they used to log in. Of course they could be behing a nat or a proxy, in which case you could just prevent interactions between players with the same ip instead of banning them / loggin them out.