的login.php
<?php
session_start();
$_SESSION['username'] = $_POST['username'];
$pass = $_POST['password'];
$conn = mysqli_connect('localhost', 'root', '', 'smithrwg_database');
$_SESSION['username'] = mysqli_real_escape_string($conn, $_SESSION['username']);
$query = "SELECT id, password, salt, priv FROM tbl_mem WHERE username = '{$_SESSION['username']}'";
$result = mysqli_query($conn, $query);
if(mysqli_num_rows($result) == 0) // User not found. So, redirect to login_form again.
{
header('Location: index1.php');
exit;
session_destroy();
}
$userData = mysqli_fetch_array($result, MYSQL_ASSOC);
$hash = hash('sha256', $userData['salt'] . hash('sha256', $pass) );
if($hash != $userData['password']) // Incorrect password. So, redirect to login_form again.
{
header('Location: oeifnweoifn.php');
}else {
// Redirect to home page after successful login.
header('Location: dashboard.php');
$_SESSION['username'] = $userData['username'];
$_SESSION['priv'] = $userData['priv'];
$_SESSION['id'] = $userData['id'];
}
?>
目前每一个$ _SESSION的工作,但$ _SESSION ['用户名']不会回应,并且尽管其余的会话信息仍然有效,但它们几乎不包含任何内容。
答案 0 :(得分:2)
$query = "SELECT password, salt, priv FROM tbl_mem WHERE username = '{$_SESSION['user']}'";
$_SESSION['user'] = $userData['user'];
$_SESSION['id'] = $userData['id'];
您未在查询中选择user或id
对于记录,您实际上不应该在会话中存储用户的密码。会话通常容易受到攻击,所以这是不好的做法。
答案 1 :(得分:0)
这不是因为* _SESSION *而是因为您的查询未选择用户名。
变化
$query = "SELECT id, password, salt, priv FROM tbl_mem WHERE username = '{$_SESSION['username']}'";
要
$query = "SELECT id, username, password, salt, priv FROM tbl_mem WHERE username = '{$_SESSION['username']}'";