男孩,我很困惑。所以当我使用不同的数据库名称时,我有一个工作的登录系统。我更改了所有名称和文件以适应新的sql数据库。一切似乎都有效,除了我的登录检查说我没有登录。这似乎是一个问题,没有设置会话。
我首先有一个登录页面,可以成功地通过此页面发送给您(我最终在member_home):
<?php
include_once './../functions.php';
include_once './../dbConnect.php';
sec_session_start(); // custom way of starting a PHP session.
if (isset($_POST['user'], $_POST['p'])) {
$user = $_POST['user'];
$password = filter_input(INPUT_POST, 'p', FILTER_SANITIZE_STRING);
if (strlen($password) != 128) {
// The hashed pwd should be 128 characters long.
// If it's not, something really odd has happened
echo 'hashed password length wrong';
}
//$password = $_POST['p']; // The hashed password.
if (login($user, $password, $dbConnection) == true) {
// Login success
$con = @require './../dbConnect.php';
// Check connection
if (mysqli_connect_errno($con))
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
else {
$result = mysqli_query($dbConnection,"SELECT * FROM members WHERE user = '". $_SESSION['user'] ."'");
$row = mysqli_fetch_array($result);
$passkey1 = $row['confirmcode'];
header('Location: http://www.examplewebsite.com/member_home.php?passkey='.$passkey1);
}
}
else {
// Login failed
header('Location: ../login_page.php?error=1');
echo 'login failed';
}
} else {
// The correct POST variables were not sent to this page.
echo 'Invalid Request';
}
?>
在我的会员主页上,它要求用户通过此功能login_check登录:
function login_check($dbConnection) {
// Check if all session variables are set
//this session is not being set....
if (isset($_SESSION['user_id'],
$_SESSION['user'],
$_SESSION['login_string'])) {
header('Location: http://www.examplewebsite.com/index.php');
$user_id = $_SESSION['user_id'];
$login_string = $_SESSION['login_string'];
$username = $_SESSION['user'];
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
if ($stmt = $dbConnection->prepare("SELECT password
FROM members
WHERE id = ? LIMIT 1")) {
// Bind "$user_id" to parameter.
$stmt->bind_param('i', $user_id);
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
if ($stmt->num_rows == 1) {
//we are not making it to this if statement
// If the user exists get variables from result.
$stmt->bind_result($password);
$stmt->fetch();
$login_check = hash('sha512', $password . $user_browser);
if ($login_check == $login_string) {
// Logged In!!!!
return true;
} else {
// Not logged in
return false;
}
} else {
// Not logged in
return false;
}
} else {
// Not logged in
return false;
}
} else {
// Not logged in
return false;
}
}
我知道我没有传递第一个if语句,因为我没有通过标题检查重新定位。
这是sec_session_start()函数,我测试过它确实经历了整个函数:
function sec_session_start() {
$session_name = 'sec_session_id'; // Set a custom session name
$secure = SECURE;
// This stops JavaScript being able to access the session id.
$httponly = true;
// Forces sessions to only use cookies.
if (ini_set('session.use_only_cookies', 1) === FALSE) {
header("Location: ../error.php?err=Could not initiate a safe session (ini_set)");
exit();
}
// Gets current cookies params.
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams["lifetime"],
$cookieParams["path"],
$cookieParams["domain"],
$secure,
$httponly);
// Sets the session name to the one set above.
session_name($session_name);
session_start(); // Start the PHP session
session_regenerate_id(); // regenerated the session, delete the old one.
}
所以由于某种原因,我的loginCheck功能总是失败,我无法弄清楚为什么没有设置会话!这里有什么问题,还是会出现在其他地方?有人可以指导我检查其他错误吗?
问题仅在切换所有数据库名称和相关后才开始发生,但我找不到文本不同的任何地方。
这是我的登录变量,负责绑定所有内容:
function login($user, $password, $dbConnection) {
global $errors;
$errors = 1;
// Using prepared statements means that SQL injection is not possible.
if ($stmt = $dbConnection->prepare("SELECT ID, user, paid, password, salt
FROM members WHERE user = ? LIMIT 1")) {
$stmt->bind_param('s', $user); // Bind "$user" to parameter.
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
// get variables from result.
$stmt->bind_result($user_id, $user, $paid, $db_password, $salt);
$stmt->fetch();
// hash the password with the unique salt.
$password = hash('sha512', $password . $salt);
$errors= 2;
if ($stmt->num_rows > 0) {
if ($db_password == $password) {
// Password is correct!
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
// XSS protection as we might print this value
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
$_SESSION['user_id'] = $user_id;
// XSS protection as we might print this value
$user = preg_replace("/[^a-zA-Z0-9_\-]+/",
"",
$user);
$_SESSION['user'] = $user;
$_SESSION['login_string'] = hash('sha512',
$password . $user_browser);
// Login successful.
$errors=3;
return true;
} else {
return false;
}
}
else {
// No user exists.
return false;
}
}
}
我实际上无法获得$ errors变量以在member_home中发布。
我的意思是,问题似乎是在我将用户发送到member_home之后,不再有定义的$ _SESSION ['user']。它似乎在标题(location:member_home)
之后消失了