我正在尝试制作网站,当管理员成功登录时,我已经登录系统管理员而不是分配会话,但是当页面刷新时此会话到期。请在下方查看我正在向您展示我所做的事情。
HTML
<form action="../../system/access/checking.php" class="form-signin">
<h2 class="form-signin-heading">Please sign in</h2>
<input type="text" id="user" class="form-control" placeholder="Email address" required autofocus>
<input type="password" id="pass" class="form-control" placeholder="Password" required>
<a class="btn btn-lg btn-primary btn-block" onclick="submitfom();" >Sign in</a>
</form>
的Ajax
function submitfom() {
$.ajax({
type: "POST",
url: "../../system/access/checking.php",
data: {user: $("#user").val(),pass: $("#pass").val()},
success: function(data){
if(data == true ){
window.location.href = '../../index.php';
} else {
$('#show-error').slideDown( "slow",function (){$('#show- error').html(data);$('#show-error').css("display","inline");});
};
}
});
}
PHP
include('../../../config.php');
if((isset($_POST['user'])) && (isset($_POST['pass'])) ){
$user = $_POST['user'];
$pass = $_POST['pass'];
$query = mysql_query("SELECT user FROM admin_user WHERE user ='".$user."' ");
$query2 = mysql_query("SELECT pass FROM admin_user WHERE pass ='".$pass."' ");
$result= mysql_num_rows($query);
$result2= mysql_num_rows($query2);
if((!empty($result)) && (!empty($result2))){
session_set_cookie_params('3600');
session_start();
$_SESSION['admin']=$user ;
session_write_close();
echo true;
}
else {
echo "Please Write correct <strong>username and password</strong>";
}
}
else {
echo "Some thing miss";
}
答案 0 :(得分:1)
删除
session_write_close();
移动
session_start()
到脚本的顶部(或者更好地在PHP配置中将session.autostart参数设置为true。
mysql_query()
将在下一个PHP版本中删除,改为使用PDO。
您的代码中有2个SQL注入漏洞。
$query = mysql_query("SELECT user FROM admin_user WHERE user ='".$user."' ");
$query2 = mysql_query("SELECT pass FROM admin_user WHERE pass ='".$pass."' ");
如果您在这两个字段中发布' or id=1,那么您将登录管理员(您可以强制使用ID,电子邮件,用户名等字段来获取正确的内容。此列表会很小。)