查询数据库和会话

时间:2013-01-05 01:06:43

标签: php mysql session passwords username

我在php文件中显示会话时遇到问题。我可以让会话显示但显示不正确 - 它只显示字母'S'。

会话是在用户登录我的系统时创建的,它们包含唯一的ID和全名。

我的登录php如下。只有'full_name'和'id'会话我遇到了问题,因为我必须自己将它们编码到脚本中。 我在某处发现了一个错误

<?php

ob_start();
include ("includes/dbConfig.php");
$tbl_name="users"; // Table name 

// Connect to server and select databse.
mysql_connect("$host", "$un", "$pwd")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword 
$username=$_POST['username']; 
$password=$_POST['password'];


// To protect MySQL injection (more detail about MySQL injection)
$username = stripslashes($username);
$encrypted_password=md5($password);
$username = mysql_real_escape_string($username);
$encrypted_password = mysql_real_escape_string($encrypted_password);
$sql="SELECT * FROM $tbl_name WHERE username='$username' and    password='$encrypted_password'";
$result=mysql_query($sql);

//Get User Info

$userinfo="SELECT * FROM $tbl_name WHERE username='$username'";
$result=mysql_query($userinfo);

$full_name= $userinfo['full_name'];
$id= $userinfo['id'];

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

// If result matched $username and $password, table row must be 1 row
if($count==1){

// Register $username, $password and redirect to file "console.php"
session_start();
$_SESSION['username'] = $username;
$_SESSION['full_name'] = $full_name;
$_SESSION['id'] = $id; // store session data
header("Location: console.php");      
}
else {
echo "Wrong Username or Password";
} 
ob_end_flush();

?>

我已经测试了我网站中的会话,并且一些虚拟信息通过了确定。我认为从数据库中获取信息存在问题。

我知道md5不是最安全的密码加密方法,但它可以满足我的需要。

先谢谢。


这是我页面顶部的代码。

<?php

    include ("includes/dbConfig.php");

    session_start(); 
    if(!$_SESSION['username'])
    if(!$_SESSION['full_name'])
    if(!$_SESSION['id']) {
        // user not logged in redirect
        header("Location: index.php");  
    }
?>

这是我用来打印会话数据的代码。

<?php echo "" . $_SESSION["username"]; ?>
<?php echo "" . $_SESSION["full_name"]; ?>
<?php echo "" . $_SESSION["id"]; ?>

3 个答案:

答案 0 :(得分:3)

这很快就会被弃用,但不应该导致错误。

$sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$encrypted_password'";
$result=mysql_query($sql);

这是毫无意义的,您已经在上面的查询中获取了这些数据

//Get User Info
$userinfo="SELECT * FROM $tbl_name WHERE username='$username'";
$result=mysql_query($userinfo);

这是错误的,您正在尝试将字符串作为关联数组访问!

$full_name= $userinfo['full_name'];
$id= $userinfo['id'];

你需要

$count=mysql_num_rows($result);
// If result matched $username and $password, table row must be 1 row
if($count==1){
    $row = mysql_fetch_assoc($result);
    $full_name= $row['full_name'];
    $id= $row['id'];
}

它为什么生产'S'。我不确定。但无论如何这些都是错误的。

答案 1 :(得分:0)

您必须确保首先发生的是session_start()方法调用。如果您的代码在方法调用之前只回显一个字符,则会话不起作用。

答案 2 :(得分:0)

只是想表明你的原始剧本中有很多你不需要的代码(这包含Philip Whitehouse对问题的解决方案)

<?php

include "includes/dbConfig.php";
$tbl_name="users"; // Table name 
// Connect to server and select databse.
mysql_connect($host, $un, $pwd)or die("cannot connect"); // no quotes needed around vars
mysql_select_db($db_name)or die("cannot select DB"); // no quotes needed around vars

$username = mysql_real_escape_string($_POST['username']);
$encrypted_password = mysql_real_escape_string(md5($_POST['password']));
$sql="SELECT username, full_name, id FROM $tbl_name WHERE username='$username' and    password='$encrypted_password'";
$result=mysql_query($sql);

// If result matched $username and $password, table row must be *AT LEAST* 1 row
if(mysql_num_rows($result)){
    session_start();
    $_SESSION['user'] = mysql_fetch_assoc($result);
    header("Location: console.php");      
}
else {
    echo "Wrong Username or Password";
    die;
} 

?>

并检查

<?php

session_start();
// using if(!$_SESSION['..']) without isset throws a warning if it's not set
if(!isset($_SESSION['user'])) header("Location: index.php");

?>

并回应

<?php

echo $_SESSION['user']['username'];
echo $_SESSION['user']['full_name'];
echo $_SESSION['user']['id'];

?>