这是在我的页面中,它应该检查用户是否已登录 http://carbonyzed.co.uk/Websites/Jason/sites/2/test/login_success.php
但任何人都可以评估它,而不仅仅是那些登录
的人<?php
session_start();
if( isset($_SESSION["myusername"]) ){
header("location:main_login.html");
}
?>
我试过了
if(isset($ _ SESSION [“myusername”])){
和
if(isset($ _ SESSION [$ myusername])){
登录代码可能还没有创建会话?
<?php
ob_start();
$host="ClubEvents.db.9606426.hostedresource.com"; // Host name
$username="ClubEventsRead"; // Mysql username
$password="Pa55word!"; // Mysql password
$db_name="ClubEvents"; // Database name
$tbl_name="members"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
ob_end_flush();
?>
答案 0 :(得分:7)
将NOT运算符!
添加到if语句中。另外,请不要忘记在标题后添加exit()
。 location
标头告诉浏览器重定向,但攻击者可以查看您的页面并忽略location
标头,从而绕过您的身份验证系统,因为您的PHP代码将继续执行。
if( !isset($_SESSION["myusername"]) ){
header("location:main_login.html");
exit();
}
此外,您没有在发布的登录代码中调用session_start()
,因此无法访问会话。
答案 1 :(得分:5)
<?php
session_start();
if (!isset($_SESSION['myusername']))
{
header('Location: main_login.html');
}
?>
你需要否定支票。
答案 2 :(得分:3)
您也可以使用:
<?php
session_start();
if (empty($_SESSION['myusername'])) {
header('Location: main_login.html');
}
?>