我使用WAMP开发了一个完美的应用程序。总是这样,当我把它移到服务器上时,它不起作用。
问题是,当我登录时,它意味着将我重定向到相关页面,具体取决于我的数据库中的管理字段。默认情况下,每个人都会在数据库中收到0。
这是我的缩减login.php
<?php
// First we execute our common code to connection to the database and start the session
require("common.php");
error_reporting(E_ERROR | E_PARSE);
// This variable will be used to re-display the user's username to them in the
// login form if they fail to enter the correct password. It is initialized here
// to an empty value, which will be shown if the user has not submitted the form.
$submitted_username = '';
$admin = 'false';
// This if statement checks to determine whether the login form has been submitted
// If it has, then the login code is run, otherwise the form is displayed
if (!empty($_POST)) {
// This query retreives the user's information from the database using
// their username.
$query = "
SELECT
id,
username,
password,
salt,
email,
admin,
name,
sso
FROM users
WHERE
username = :username
";
// The parameter values
$query_params = array(
':username' => $_POST['username']
);
try {
// Execute the query against the database
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
} catch (PDOException $ex) {
// Note: On a production website, you should not output $ex->getMessage().
// It may provide an attacker with helpful information about your code.
die("Failed to run query: " . $ex->getMessage());
}
// This variable tells us whether the user has successfully logged in or not.
// We initialize it to false, assuming they have not.
// If we determine that they have entered the right details, then we switch it to true.
$login_ok = false;
// Retrieve the user data from the database. If $row is false, then the username
// they entered is not registered.
$row = $stmt->fetch();
if ($row) {
// Using the password submitted by the user and the salt stored in the database,
// we now check to see whether the passwords match by hashing the submitted password
// and comparing it to the hashed version already stored in the database.
$check_password = hash('sha256', $_POST['password'] . $row['salt']);
for ($round = 0; $round < 65536; $round++) {
$check_password = hash('sha256', $check_password . $row['salt']);
}
if ($check_password === $row['password']) {
// If they do, then we flip this to true
$login_ok = true;
}
}
// If the user logged in successfully, then we send them to the private members-only page
// Otherwise, we display a login failed message and show the login form again
if ($login_ok) {
$admin = $row['admin'];
// Here I am preparing to store the $row array into the $_SESSION by
// removing the salt and password values from it. Although $_SESSION is
// stored on the server-side, there is no reason to store sensitive values
// in it unless you have to. Thus, it is best practice to remove these
// sensitive values first.
unset($row['salt']);
unset($row['password']);
// This stores the user's data into the session at the index 'user'.
// We will check this index on the private members-only page to determine whether
// or not the user is logged in. We can also use it to retrieve
// the user's details.
$_SESSION['user'] = $row;
$_SESSION['admin'] = $row;
$_SESSION['name'] = $row;
$_SESSION['sso'] = $row;
ob_start();
// Redirect the user to the private members-only page.
if ($admin == 1) {
echo '<meta http-equiv="refresh" content="0;url=http://ocat.uat.cse.comfin.ge.com/notifcation%20system/outageNotification.php">';
//header("Location: admin.php");
}
if ($admin == 0) {
echo '<meta http-equiv="refresh" content="0;url=http://ocat.uat.cse.comfin.ge.com/notifcation%20system/private2.php">';
}
if ($admin == 2) {
echo '<meta http-equiv="refresh" content="0;url=http://ocat.uat.cse.comfin.ge.com/notifcation%20system/super.php">';
//Below is for Local
// header("Location: super.php");
}
if ($admin == 3) {
echo '<meta http-equiv="refresh" content="0;url=http://ocat.uat.cse.comfin.ge.com/notifcation%20system/outageNotification.php">';
//header("Location: admin.php");
}
if ($admin == 4) {
echo '<meta http-equiv="refresh" content="0;url=http://ocat.uat.cse.comfin.ge.com/notifcation%20system/super.php">';
// header("Location:super.php");
}
// die("Now redirecting....");
} else {
// Tell the user they failed
print("Login Failed.");
// Show them their username again so all they have to do is enter a new
// password. The use of htmlentities prevents XSS attacks. You should
// always use htmlentities on user submitted values before displaying them
// to any users (including the user that submitted them). For more information:
// http://en.wikipedia.org/wiki/XSS_attack
$submitted_username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8');
}
}
?>
<html>
<head>
</head>
<body>
<form action="login.php" method="post">
Username:<br/>
<input type="text" name="username" value="<?php echo $submitted_username; ?>"/>
<br/><br/>
Password:<br/>
<input type="password" name="password" value=""/>
<br/><br/>
<input type="submit" class="btn btn-primary btn-lg" role="button" value="Login"/>
</form>
</body>
正如你所看到的,我不得不停止使用标题:当我从本地移动它时。
common.php看起来像这样,其中包含sessionStart()调用。我在每一页都包括这个。
<?php
$username = "";
$password = "";
//$password = "";
$host = ":7780";
$dbname = "";
// UTF-8 is a character encoding scheme that allows you to conveniently store
// a wide varienty of special characters, like � or �, in your database.
// By passing the following $options array to the database connection code we
// are telling the MySQL server that we want to communicate with it using UTF-8
// See Wikipedia for more information on UTF-8:
// http://en.wikipedia.org/wiki/UTF-8
$options = array(PDO::MYSQL_ATTR_INIT_COMMAND => 'SET NAMES utf8');
// A try/catch statement is a common method of error handling in object oriented code.
// First, PHP executes the code within the try block. If at any time it encounters an
// error while executing that code, it stops immediately and jumps down to the
// catch block. For more detailed information on exceptions and try/catch blocks:
// http://us2.php.net/manual/en/language.exceptions.php
try {
// This statement opens a connection to your database using the PDO library
// PDO is designed to provide a flexible interface between PHP and many
// different types of database servers. For more information on PDO:
// http://us2.php.net/manual/en/class.pdo.php
$db = new PDO("mysql:host={$host};dbname={$dbname};charset=utf8", $username, $password, $options);
} catch (PDOException $ex) {
// If an error occurs while opening a connection to your database, it will
// be trapped here. The script will output an error and stop executing.
// Note: On a production website, you should not output $ex->getMessage().
// It may provide an attacker with helpful information about your code
// (like your database username and password).
die("Failed to connect to the database: " . $ex->getMessage());
}
// This statement configures PDO to throw an exception when it encounters
// an error. This allows us to use try/catch blocks to trap database errors.
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
// This statement configures PDO to return database rows from your database using an associative
// array. This means the array will have string indexes, where the string value
// represents the name of the column in your database.
$db->setAttribute(PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_ASSOC);
// This block of code is used to undo magic quotes. Magic quotes are a terrible
// feature that was removed from PHP as of PHP 5.4. However, older installations
// of PHP may still have magic quotes enabled and this code is necessary to
// prevent them from causing problems. For more information on magic quotes:
// http://php.net/manual/en/security.magicquotes.php
if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) {
function undo_magic_quotes_gpc(&$array)
{
foreach ($array as &$value) {
if (is_array($value)) {
undo_magic_quotes_gpc($value);
} else {
$value = stripslashes($value);
}
}
}
undo_magic_quotes_gpc($_POST);
undo_magic_quotes_gpc($_GET);
undo_magic_quotes_gpc($_COOKIE);
}
// This tells the web browser that your content is encoded using UTF-8
// and that it should submit content back to you using UTF-8
header('Content-Type: text/html; charset=utf-8');
// This initializes a session. Sessions are used to store information about
// a visitor from one web page visit to the next. Unlike a cookie, the information is
// stored on the server-side and cannot be modified by the visitor. However,
// note that in most cases sessions do still use cookies and require the visitor
// to have cookies enabled. For more information about sessions:
// http://us.php.net/manual/en/book.session.php
session_start();
// Note that it is a good practice to NOT end your PHP files with a closing PHP tag.
// This prevents trailing newlines on the file from being included in your output,
// which can cause problems with redirecting users.
当我登录时,我被告知我无权查看我的页面。当我执行vardump会话时,我发现它为空:
<?php
// First we execute our common code to connection to the database and start the session
require("common.php");
// At the top of the page we check to see whether the user is logged in or not
if (empty($_SESSION['user'])) {
// If they are not, we redirect them to the login page.
echo '<meta http-equiv="refresh" content="0;url=http://ocat.uat.cse.comfin.ge.com/notifcation%20system/login.php">';
// Remember that this die statement is absolutely critical. Without it,
// people can view your members-only content without logging in.
die("Redirecting to login.php");
}
if(($_SESSION['user']['admin']==1)||($_SESSION['user']['admin']==2)){
die("you do not have permission to view this page. Please press the back button in your browser.");
}
// Everything below this point in the file is secured by the login system
// We can display the user's username to them by reading it from the session array. Remember that because
// a username is user submitted content we must use htmlentities on it before displaying it to the user.
$con = mysql_connect(", "", "");
if (!$con) {
die('Could not connect: ' . mysql_error());
}
我已在我的数据库中确认登录用户的admin值为0并且应该能够看到该页面,就像我在localhost中所做的那样。任何建议都会非常感激。