我有一个登录页面,我在其中设置了一个查询,以检查登录信息和登录信息。输入的密码与数据库匹配。用户应该只能在登录后才能看到主页。
登录页面上的PHP登录验证工作正常(如果用户/通行证不存在,则会显示错误消息。如果组合正确,它会重定向到主页):
登录页面
<?php
define('DB_LOCATION', 'x');
define('DB_USERNAME', 'x');
define('DB_PASS', 'x');
define('DB_NAME', 'x');
$dbc = mysqli_connect(DB_LOCATION, DB_USERNAME, DB_PASS, DB_NAME)
or die('Error connecting to database');
$error_message= "";
$user_name = $_POST['user'];
$user_password= $_POST['pass'];
if (isset($_POST['submit'])) {
// ADD QUERY TO CHECK IF USER/PASS COMBO IS CORRECT
if(!empty($user_name) && !empty($user_password)) {
$query = "SELECT * FROM employees WHERE username='$user_name' and password='$user_password'";
$result = mysqli_query($dbc, $query)
or die ('Error querying username/password request');
if(mysqli_num_rows($result) == 1) {
session_start();
$_SESSION['user'] = $row['user'];
$_SESSION['pass']= $row['pass'];
header("Location: http://test.ishabagha.com/LESSON5/3%20-%20HOMEPAGE%20:%20WELCOME.php");
} // end if rows
else {
$error_message = "You were not able to log in";
} // end else
} // end query
} // end isset
?>
我的问题是,在主页上,我想这样做,如果没有设置/接受用户名和密码,它会重定向回登录页面,并且主页不可见。这就是我在PHP标题中添加的内容 - 即使我以前没有登录过,它仍然显示页面而不是将其指向登录页面(指定标题/位置)并且不保留主页私人。
首页
<?php
define('DB_LOCATION', 'x');
define('DB_USERNAME', 'x');
define('DB_PASS', 'x');
define('DB_NAME', 'x');
$dbc = mysqli_connect(DB_LOCATION, DB_USERNAME, DB_PASS, DB_NAME)
or die('Error connecting to database');
session_start();
$user_name = $_SESSION['user'];
$user_password= $_SESSION['pass'];
if(!isset($_SESSION['user']) && !isset($_SESSION['pass'])) {
header("Location: /LESSON5/1%20-%20LOGIN.php");
}
?>
请让我知道是什么原因可能导致主页上的代码的第二部分重定向。
答案 0 :(得分:2)
问题出在你的登录页面 - $row什么都不做,所以你的会话数组永远不会被设置。
您需要循环$row
if(mysqli_num_rows($result) == 1) {
while($row = mysqli_fetch_assoc($result)){
$_SESSION['user'] = $row['user'];
$_SESSION['pass']= $row['pass'];
}
}
mysqli_fetch_assoc失败,请尝试mysqli_fetch_array()。将error reporting添加到文件的顶部,这有助于查找错误。
<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);
// rest of your code
旁注:错误报告应仅在暂存时完成,而不是生产。
<强>脚注:
阅读会议劫持事件:
修改
放置
$user_name = $_POST['user'];
$user_password= $_POST['pass'];
if(!empty($user_name) && !empty($user_password)) {...}
然后用
替换它if(!empty($_POST['user']) && !empty($_POST['pass'])) {
$user_name = $_POST['user'];
$user_password= $_POST['pass'];
// rest of code you wish to execute
}
并首先设置空白作业:
$error_message= "";
$user_name = "";
$user_password= "";
if (isset($_POST['submit'])) {
$user_name = $_POST['user'];
$user_password= $_POST['pass'];
这就是为什么你得到未定义的索引通知。
也是这个
<form name =loginForm method="post" action="<?php echo $_SERVER[' PHP_SELF' ];?>">
删除name =loginForm - 表单没有名称属性。
重要因素:
$_SERVER[' PHP_SELF' ]更改为$_SERVER['PHP_SELF'],这是语法错误,您的表单将失败并重定向。编辑#2:(重写)
这是重写:
<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);
session_start();
define('DB_LOCATION', 'x');
define('DB_USERNAME', 'x');
define('DB_PASS', 'x');
define('DB_NAME', 'x');
$dbc = mysqli_connect(DB_LOCATION, DB_USERNAME, DB_PASS, DB_NAME)
or die('Error connecting to database');
$error_message= "";
$user_name = "";
$user_password= "";
if (isset($_POST['submit'])) {
$user_name = $_POST['user'];
$user_password= $_POST['pass'];
// ADD QUERY TO CHECK IF USER/PASS COMBO IS CORRECT
if(!empty($user_name) && !empty($user_password)) {
$query = "SELECT * FROM employees WHERE username='$user_name' and password='$user_password'";
$result = mysqli_query($dbc, $query)
or die ('Error querying username/password request');
if(mysqli_num_rows($result) == 1) {
while($row = mysqli_fetch_array($result)) {
$_SESSION['user'] = $row['user'];
$_SESSION['pass']= $row['pass'];
}
header("Location: /LESSON5/3%20-%20HOMEPAGE%20:%20WELCOME.php");
exit;
// echo "Welcome link here";
} // end if rowns
else {
$error_message = "You were not able to log in";
} // end else
// Direct to other webpage
} // end query
} // end isset
?>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Login</title>
<link type="text/css" rel="stylesheet" href="/LESSON5/5_Signup_CSS.css">
</head>
<body>
<h1>Welcome to my website!</h1>
<h2>Please login below.</h2>
<h3>Don't have an account? <a href="/LESSON5/2%20-%20CREATE%20AN%20ACCOUNT.php">Create one here.</a></h3>
<div class="formFormat" >
<div id="table1">
<form method="post" action="<?php echo $_SERVER['PHP_SELF'];?>">
<table id="cssTable">
<tr>
<td>Username:</td><td><input type="text" id="user" name="user" value="<?php echo $user_name; ?>" /></td>
</tr>
<tr>
<td>Password:</td><td><input type="text" id="pass" name="pass" value="<?php echo $user_password; ?>"/></td>
</tr>
</table>
</div>
<div id="table2">
<table>
<tr>
<td><input type="submit" name="submit"/></td>
</tr>
<tr>
<td id="createAccount"><a href="/LESSON5/2%20-%20CREATE%20AN%20ACCOUNT.php">Create an account</a></td>
</tr>
<tr>
<td><?php echo $error_message ?></td>
</tr>
</table>
</form>
</div>
</div>
<?php
// mysqli_close($dbc);
if(isset($_SESSION['user']) && isset($_SESSION['pass'])) {
echo "Sessions are set";
}
else {
echo "Not set.";
}
?>
</body>
</html>
<强>密码:
我注意到您可能以纯文本格式存储密码。如果是这种情况,则非常气馁。
我建议您使用CRYPT_BLOWFISH或PHP 5.5的password_hash()功能。对于PHP&lt; 5.5使用password_hash() compatibility pack。
答案 1 :(得分:0)
对于您的主页:
user和password,则两个作业语句可能会打印出一些错误。exit,以确保该脚本不再打印输出。考虑以下代码:
<?php
define('DB_LOCATION', 'x');
define('DB_USERNAME', 'x');
define('DB_PASS', 'x');
define('DB_NAME', 'x');
$dbc = mysqli_connect(DB_LOCATION, DB_USERNAME, DB_PASS, DB_NAME)
or die('Error connecting to database');
if(session_id() == '') {
session_start();
}
if(!isset($_SESSION['user']) || !isset($_SESSION['pass'])) {
header("Location: /LESSON5/1%20-%20LOGIN.php");
exit(); // make sure that there is nothing printed after location header
}
$user_name = $_SESSION['user'];
$user_password= $_SESSION['pass'];
?>
答案 2 :(得分:-2)
将session_start()放在两个页面的顶部。顺便说一句 - 不需要在会话中存储密码,只需要用户名和/或id。
另一个问题是你的代码容易受到sql注入攻击。使用预备语句来防止这种情况。