塞申斯让我脱掉头发

时间:2014-03-04 14:32:03

标签: php session

的login.php

<?php 
session_start();

$_SESSION['username'] = $_POST['username'];
$pass = $_POST['password'];


$conn = mysqli_connect('localhost', 'root', '', 'smithrwg_database');

$_SESSION['username'] = mysqli_real_escape_string($conn, $_SESSION['username']);

$query = "SELECT id, password, salt, priv FROM tbl_mem WHERE username = '{$_SESSION['username']}'";

$result = mysqli_query($conn, $query);

if(mysqli_num_rows($result) == 0) // User not found. So, redirect to login_form again.
{
    header('Location: index1.php');
    exit;
    session_destroy();
}



$userData = mysqli_fetch_array($result, MYSQL_ASSOC);
$hash = hash('sha256', $userData['salt'] . hash('sha256', $pass) );

if($hash != $userData['password']) // Incorrect password. So, redirect to login_form again.
{
    header('Location: oeifnweoifn.php');

}else {
// Redirect to home page after successful login.


    header('Location: dashboard.php');
        $_SESSION['username'] = $userData['username'];
    $_SESSION['priv'] = $userData['priv'];
        $_SESSION['id'] = $userData['id'];



}
?>

目前每一个$ _SESSION的工作,但$ _SESSION ['用户名']不会回应,并且尽管其余的会话信息仍然有效,但它们几乎不包含任何内容。

2 个答案:

答案 0 :(得分:2)

$query = "SELECT password, salt, priv FROM tbl_mem WHERE username = '{$_SESSION['user']}'";

$_SESSION['user'] = $userData['user'];
$_SESSION['id'] = $userData['id'];

您未在查询中选择userid

对于记录,您实际上不应该在会话中存储用户的密码。会话通常容易受到攻击,所以这是不好的做法。

答案 1 :(得分:0)

这不是因为* _SESSION *而是因为您的查询未选择用户名
变化

$query = "SELECT id, password, salt, priv FROM tbl_mem WHERE username = '{$_SESSION['username']}'";

$query = "SELECT id, username, password, salt, priv FROM tbl_mem WHERE username = '{$_SESSION['username']}'";