register_globals的可能解决方案

时间:2011-03-27 00:17:59

标签: php

.hi伙计我创建了一个多次使用$ _SESSION的网站。但是,总是有一个错误说我不应该使用这样来将值抛给其他页面。但我找到了一个解决方案来打开我的php.ini中的register_globals,所以它确实有效。但现在,我的问题是我已经在网上托管了我的网站。并且主机没有register_globals。所以我的网站不能在登录部分专门工作。

。任何人都可以告诉我我可以用什么替换$ _SESSION,它也具有相同的功能。先谢谢你们!更多力量!

。这里的好人是我遇到错误的片段,请花些时间查看。:

这是我的index.php,用户需要登录:

<form method="post" action="login-exec.php">
<tr>
<td><label for="email">Student Number</label></td>
<td><label for="pass">Password</label></td>
<td></td>
</tr>
<tr>
<td><input type="text" name="Studentno" id="Studentno" tabindex="1" /></td>
<td><input type="password" name="password" id="password" tabindex="2" /></td>
<td><input value="Login" tabindex="3" type="submit" style="background:#06C; color:#fff; cursor:pointer; border-top:solid 1px #CCC; border-left:solid 1px #CCC; border-radius:3px; margin-left:2px;width:60px; height:21px; font-weight:900;"/></td>
</tr>
<tr style="color:#F00;" align="center">
</tr>
</form>

之后,这个名为login-exec.php的页面将捕获输入的值:

<?php
//Start session
session_start();
//Include database connection details
require_once('config.php');
//Array to store validation errors
$errmsg_arrs = array();
//Validation error flag
$errflags = false;
//Connect to mysql server
$con = mysql_connect(host,user,pw);
if(!$con) 
{
    die('Failed to connect to server: ' . mysql_error());
}
//Select database
$db = mysql_select_db(dtbse);
if(!$db) 
{
    die("Unable to select database");
}

//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) 
{
    $str = @trim($str);
    if(get_magic_quotes_gpc()) 
    {
        $str = stripslashes($str);
    }
    return mysql_real_escape_string($str);
}

//Sanitize the POST values
$Studentno = clean($_POST['Studentno']);
$password = clean($_POST['password']);

//Input Validations
if($Studentno == '') 
{
    $errmsg_arrs[] = '* Student ID missing';
    $errflags = true;
}
if($password == '') 
{
    $errmsg_arrs[] = '* Password missing';
    $errflags = true;
}

//If there are input validations, redirect back to the Studentno form
if($errflags) 
{
    $_SESSION['ERRMSG_ARRS'] = $errmsg_arrs;
    session_write_close();
    header("location: index.php");
    exit();
}

//Create query
if($Studentno!="" and $password!="")
{
$qry="SELECT * FROM `cassw` WHERE studentno='$Studentno' AND password='$password' UNION
      SELECT * FROM `cbaa` WHERE studentno='$Studentno' AND password='$password' UNION
      SELECT * FROM `cedap` WHERE studentno='$Studentno' AND password='$password' UNION
      SELECT * FROM `ceit` WHERE studentno='$Studentno' AND password='$password' UNION 
      SELECT * FROM `cnah` WHERE studentno='$Studentno' AND password='$password'";

$result=mysql_query($qry);
$table = mysql_fetch_assoc($result);
//$row = mysql_fetch_assoc($result);
//$array[] = $row;
$tr = $table['restriction'];
$act = $table['activation'];
//echo $tr;


//Check whether the query was successful or not
    if($result) 
    {
        if((mysql_num_rows($result) == 1) && ($tr ==0) && ($act==1)) 
        {
            //Studentno Successful
            session_regenerate_id();
            //$table = mysql_fetch_assoc($result);
            $_SESSION['studentno'] = $table['studentno'];
            $_SESSION['SESS_FIRST_NAME'] = $table['firstname'];
            $_SESSION['SESS_FIRST_NICK'] = $table['nickname'];
            //$_SESSION['SESS_LAST_NAME'] = $ceit['lastname'];
            session_write_close();
            header("location: Auth.php");
            exit();
        }
        else if((mysql_num_rows($result) == 1) && ($tr ==1) && ($act==1)) 
        {
            //Studentno Successful
            session_regenerate_id();
            //$table = mysql_fetch_assoc($result);
            $_SESSION['studentno'] = $table['studentno'];
            $_SESSION['SESS_FIRST_NAME'] = $table['firstname'];
            $_SESSION['SESS_FIRST_NICK'] = $table['nickname'];
            //$_SESSION['SESS_LAST_NAME'] = $ceit['lastname'];
            session_write_close();
            header("location: AdminPage.php");
            exit();
        }
        else 
        {
            //Studentno failed
            header("location: login-failed.php");
            exit();
        }
    }
    else 
    {
        die("Query failed");
    }
}   
?>

当输入值通过验证时,此页面将为studentno创建一个会话,然后重定向到Auth.php。

这是Auth.php的代码:

<?php
//Start session
session_start();

if(!isset($_SESSION['studentno']) || (trim($_SESSION['studentno']) == '')) 
{
    header("location: access-denied.php");
    exit();
}
    else
    {
            header("location: homepage.php");
            exit();
    }
?>

。当我使用php和mysql在Dreamweaver上测试时。它重定向到homepage.php它工作正常。但当我在网上托管它。即使登录是正确的,它总是进入access-denied.php。

1 个答案:

答案 0 :(得分:5)

您不需要激活register_globals以使用持久的$ _SESSION变量。事实上,许多开发人员强烈建议不要使用register_globals,并且自PHP 5.3.0起不予推荐使用。

使用register_globals 关闭,我们仍然可以定义以下值:

 # foo.php

 session_start();
 $_SESSION['foo'] = 'bar';

在另一页上,返回该值:

 # bar.php

 session_start();
 echo $_SESSION['foo'];

启用上的register_globals 将允许我们更轻松地访问该值:

 # bar.php

 session_start();
 echo $foo;

但是您可以阅读有关here的许多安全问题。

相关问题
最新问题