我有一个用php和mysql编写的登录表单代码(和一个DB打印代码)由六部分组成:dbmanager.php,login.php,index.php,login_process.php,home.php和user.php。
登录过程运行正常,当有人输入有效的用户名和密码时,该用户被重定向到home.php。并且,如果有人输入了无效的用户名或密码,该用户将被重定向到login_process.php,表明它是无效的用户名或密码,这很好。
问题在于,如果有人直接访问home.php,则无需输入任何用户名或密码即可正确验证该人员。
请各位指导我,以便为数据库中的用户保护home.php吗?
提前致谢!!我真的很感谢你的帮助!
我的数据库由四列组成:用户名,密码,姓氏和名字。
这是我的代码:
dbmanager.php
<?php
class DBManager{
function getConnection(){
$services = getenv("VCAP_SERVICES");
$services_json = json_decode($services,true);
$mysql_config = $services_json["mysql-5.5"][0]["credentials"];
$db = $mysql_config["name"];
$host = $mysql_config["host"];
$port = $mysql_config["port"];
$username = $mysql_config["user"];
$password = $mysql_config["password"];
$conn = mysql_connect($host . ':' . $port, $username, $password);
if(! $conn ){
die('Could not connect: ' . mysql_error());
}
mysql_select_db($db);
return $conn;
}
}
?>
的index.php
<?php
require 'user.php';
?>
<html>
<head>
<title>DB Query PHP Page</title>
</head>
<body>
<p>SAMPLE PHP SITE</p>
<p>Contents of table User:</p>
<table border='1'>
<tr>
<td>Username</td>
<td>Password</td>
<td>Last Name</td>
<td>First Name</td>
</tr>
<?php
//refer to user.php for the implementation of the class User
$user_list = (new User())->selectAll();
foreach($user_list as $user) {
echo '<tr>';
echo '<td>'.$user->username.'</td>';
echo '<td>'.$user->password.'</td>';
echo '<td>'.$user->lastname.'</td>';
echo '<td>'.$user->firstname.'</td>';
echo '</tr>';
}
?>
</table>
<br><br>
Click <a href='login.php'>[here]</a> to test the login page.<br>
</body>
</html>
login.php
<html>
<head>
<title>Login Page</title>
</head>
<body>
<p>SAMPLE PHP SITE</p>
<p>Enter Username and Password to Login:</p>
<form action='login_process.php' method='post'>
<table border='1'>
<tr>
<td>Username:</td>
<td><input type='text' name='username'></td>
</tr>
<tr>
<td>Password:</td>
<td><input type='password' name='password'></td>
</tr>
<tr>
<td> </td>
<td><input type='submit' value='Login'></td>
</tr>
</table>
</form>
</body>
</html>
login_process.php
<?php
require 'user.php';
?>
<?php
$user = new User();
$user->username = $_REQUEST['username'];
$user->password = $_REQUEST['password'];
$found = $user->checkLogin();
if ($found){//redirect to home page
session_start();
$_SESSION['current_user']=$user;
header("Location: home.php");
exit;
}else{//invalid username and password
echo "Invalid username/password. Click <a href='login.php'>[here]</a> to login again.<br>";
echo "<br>";
echo "You may also click <a href='index.php'>[here]</a> to see the list of usernames and passwords.<br>";
}
?>
home.php
<?php
require 'user.php';
?>
<html>
<head>
<title>Home Page</title>
</head>
<body>
<p>SAMPLE PHP SITE</p>
<p>
You have successfully logged in
<?php
session_start();
$user = $_SESSION['current_user'];
echo $user->firstname.' '.$user->lastname.'.';
?>
</p>
<p>This is your home page.</p>
</body>
</html>
user.php的
<?php
require 'dbmanager.php';
?>
<?php
class User{
var $username;
var $password;
var $lastname;
var $firstname;
function checkLogin(){
$dbm = new DBManager();
$conn = $dbm->getConnection();
$username = mysql_real_escape_string($this->username);
$password = mysql_real_escape_string($this->password);
$sql_stmt = "SELECT * FROM User WHERE username = '".$username."' AND password = '".$password."'";
//place in retval result of the SQL query
$retval = mysql_query($sql_stmt, $conn);
//check if SQL query is successful
if(! $retval ){
mysql_close($conn);
die('Could not read User table: ' . mysql_error());
}
$found = false;
//get first retrieved row from retval
if ($dbfield = mysql_fetch_assoc($retval)) {
$found = true;
//initialize fields of this object with the columns retrieved from the query
$this->username = $dbfield['username'];
$this->password = $dbfield['password'];
$this->lastname = $dbfield['lastname'];
$this->firstname = $dbfield['firstname'];
}
return $found;
}
function selectAll(){
$dbm = new DBManager();
$conn = $dbm->getConnection();
$sql_stmt = "SELECT * FROM User";
//place in retval result of the SQL query
$retval = mysql_query($sql_stmt, $conn);
//check if SQL query is successful
if(! $retval ){
mysql_close($conn);
die('Could not read User table: ' . mysql_error());
}
//create an empty array that will eventually contain the list of users
$user_list=array();
//iterate each row in retval
while ($dbfield = mysql_fetch_assoc($retval)) {
//instantiate a user object
$user = new User();
//initialize fields of user object with the columns retrieved from the query
$user->username = $dbfield['username'];
$user->password = $dbfield['password'];
$user->lastname = $dbfield['lastname'];
$user->firstname = $dbfield['firstname'];
//add the user object in the array
$user_list[] = $user;
}
mysql_close($conn);
//return the array
return $user_list;
}
}
?>
答案 0 :(得分:3)
每个“安全”页面都需要具有用户身份验证/验证功能。
这可以是简单的事情:
whatever.php:
<?php
include("usercheck.php");
?>
page stuff here...
usercheck.php:
<?php
session_start();
if (!$_SESSION['logged_in']) {
header('Location: login.php');
exit();
}
答案 1 :(得分:-1)
基本上你必须在本地目录结构中创建一个lib目录,并且lib中的所有文件都不是公共可用的,但你仍然可以从你的php应用程序中访问它们。
以下是云代工厂中PHP应用程序的文件结构示例:
D(n) = (1/4)(3*3^n + (-1)^n)
S(n) = (3/4)(3^n - (-1)^n)
lib目录下的任何内容都不会公开,因此您可以将home.php文件放在那里。
在此处查看更多详情:
http://docs.cloudfoundry.org/buildpacks/php/gsg-php-usage.html