我正在使用以下代码登录用户。创建新会话后,他们会被重定向到新页面 - content.php。我想知道什么是最好的方式/正确的方法来销毁会话并注销用户,将它们重定向回index.php。
<?php
if (isset($_REQUEST['signin'])){
$username = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT * FROM `user` WHERE username='$username' and password='$password'";
$result = mysql_query($query) or die(mysql_error());
$count = mysql_num_rows($result);
if ($count == 1){
$_SESSION['username'] = $username;
header('Location: content.php');
}
else{
echo "Invalid Login Credentials.";
}
}
if (isset($_SESSION['username'])){
$username = $_SESSION['username'];
header('Location: content.php');
}
?>
<form method="post" name="login">
<?php
if (isset($msg) & !empty($msg)) {
echo $msg;
}
?>
<label for="username">Username:</label><br>
<input type="text" name="username"><br>
<label for="password">Password:</label><br>
<input type="password" name="password"><br>
<button type="submit" name="signin">Sign in</button>
</form>
我知道此脚本存在漏洞(例如未加密的密码),但是现在我正在寻找一个简单的脚本来注销。
答案 0 :(得分:1)
session_start();
$_SESSION = array();
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
session_destroy();
header("Location: index.php"); exit;
答案 1 :(得分:1)
首先,您需要清理输入,以便
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
现在,关于清理会话。您的注销脚本应使用unset
unset($_SESSION['username']);
unset($_SESSION['password']);
答案 2 :(得分:1)
注销用户的最佳和最简单的方法是销毁整个会话或取消设置必要的会话密钥。
session_destroy();
// or...
unset($_SESSION['username'];
header('Location: index.php');
我更喜欢unset,因为您可能希望在会话数组中存储更多数据。
答案 3 :(得分:0)
首先,请在查询之前检查查询变量,否则会冒着SQL注入的风险。
接下来,当您设置会话时,必须在脚本顶部调用session_start();以使用会话。
最后,要将用户注销,只需调用session_destroy();即可销毁现有会话。
我已经重新编写了一些代码
<?php
session_start();
if (isset($_REQUEST['signin'])){
$username = $_POST['username'];
$password = $_POST['password'];
$sql_connection = new mysqli("dbHost", "dbUsername", "dbPassword", "dbName");
if($sql_connection->connect_errno){
die("db error");
}
$username = $sql_connection->real_escape_string($username);
$password = $sql_connection->real_escape_string($password);
$query = "SELECT * FROM `user` WHERE username='$username' and password='$password' LIMIT 1;";
$result = $sql_connection->query($query) or die("db error");
$count = $result->num_rows;
if ($count == 1){
$_SESSION['username'] = $username;
header('Location: content.php');
die();
}else{
echo "Invalid Login Credentials.";
}
}elseif(isset($_SESSION['username'])){
$username = $_SESSION['username'];
header('Location: content.php');
die();
}
?>
<form method="post" name="login">
<?php
if (isset($msg) & !empty($msg)) {
echo $msg;
}
?>
<label for="username">Username:</label><br>
<input type="text" name="username"><br>
<label for="password">Password:</label><br>
<input type="password" name="password"><br>
<button type="submit" name="signin">Sign in</button>
</form>
由于即将删除,因此使用MySQLi而不是MySQL。它也会转义输入并设置会话。
答案 4 :(得分:0)
<?php
if (!isset($_SESSION)) { session_start(); }
$_SESSION = array();
session_destroy();
header("Location: login"); //login.php if you havent setup your htaccess to use without.php
exit();
?>