我遇到了2个文件的问题:login_config.php
和profile.php
。
我希望profile.php上的数据只能通过设置$ _SESSION [' key']来访问(成功登录后)。
我的问题:我的代码有什么不对?此外,为什么我在登录提交时出现错误,如果$ _SESSION [' key']为false /未设置,则应该返回错误,而不是目标profile.php页面?
代码:(login_config.php)
<?php
// POST VARIABLES
$submit = $_POST['login_submit'];
$username = $_POST['login_username'];
$password = $_POST['login_password'];
$email = $_POST['login_email'];
require 'password_config.php';
if(isset($submit)){
require 'db/connect.php';
// PASSWORD VERIFYING
$pass_query = "SELECT password FROM users WHERE email='$email'";
$queried = mysql_query($pass_query);
while($row = mysql_fetch_array($queried)){
$user_pass = $row['password'];
$veri_password = password_verify($password, $user_pass);
}
if(!$veri_password === true){$errors[] = '-Account does not exist ';}
// CHECKING NUM ROWS
$sql = "SELECT id, username FROM users WHERE password='$user_pass' AND email='$email'";
$entered_user = mysql_query($sql);
$num_rows = mysql_num_rows($entered_user);
// ERRS ARRAY ESTABLISHED
$errors = array();
// FURTHER VERIFYING
if( empty($password) || empty($email) )
{
$errors[] = 'Please do not leave fields empty';
}
elseif( $num_rows != 1 )
{
$errors[] = '-Account does not exist ';
}
elseif( $num_rows == 1 )
{
session_start();
$_SESSION['key'] === true;
while($row = mysql_fetch_array($entered_user)){
$_SESSION['id'] = $row['id'];
$_SESSION['email'] = $email;
$_SESSION['user'] = $row['username'];
$_SESSION['pass'] = $password;
header('Location: profile.php');
exit();
}
}
}
代码:(profile.php)
<?php
session_start();
if($_SESSION['key'] !== true){
die ("please <a href='login.php'>log in</a> to view this page");
}
?>
<html>
<head>
<title>Profile</title>
<link href='css/main.css' rel='stylesheet' />
</head>
<body>
<div id='container'>
<?php require 'include/header.php'; ?>
<?= 'NJM ID # ==>'.$_SESSION['id'].'<br />'.'Username ==>'.$_SESSION['user'].'<br/>'.'Password ==>'.$_SESSION['pass'].'<br/>'.'<br />' ?>
<a href='logout.php'>Log out!</a>
<br />
-OR-
<br />
<p>Try our beta mode<a href='forum.php'> forum</a></p>
<?php require 'include/footer.php'; ?>
</div>
</body>
</html>
注意:我知道我在当前的代码状态下容易受到SQL攻击,我将在稍后修复此问题,同时我也不熟悉MySQL的弃用版本。
答案 0 :(得分:4)
在profile.php
中,您必须在使用session_start();
之前致电$_SESSION
。 session_start()
并不只是开始新会话,但也会继续现有会话(如果愿意,它将启动会话处理功能)。如果不调用它,则无法使用$_SESSION
。
答案 1 :(得分:1)
第一:我会使用termary运算符来检查我需要的值的存在,以避免&#34;未定义的索引&#39; login_username&#39;&#34;错误。像这样:
$username = isset($_POST['login_username']) ? $_POST['login_username'] : '';
$password = isset($_POST['login_password']) ? $_POST['login_password']) : '';
$email = isset($_POST['login_email']) ? $_POST['login_email'] : '';
第二:出于安全原因,我会使用PDO连接MySQL服务器,而不仅仅是。
session_start();
if (isset($submit)){
// select all data from db for the current user
$st = $db->prepare('SELECT * FROM users WHERE email=?');
$st->execute([$email]);
//$rows = count_rows_here
if($rows == 1){
$row = $stmt->fetch();
if(password_verify($password, $row['pass'])){
$_SESSION['key'] = true; // notice the '=', and not '==='
$_SESSION['id'] = $row['id'];
$_SESSION['email'] = $row['email'];
$_SESSION['user'] = $row['username'];
$_SESSION['pass'] = $row['password'];
header('Location: profile.php');
} else {
echo 'Error!';
}
}
}
答案 2 :(得分:0)
在您浏览到下一个PHP页面后,我会首先尝试删除exit()
调用。没有必要,因为你下面没有代码,它可能会影响会话(我不这么认为)
如果这不起作用(可能不会),请在开始会话profile.php
后添加到var_dump($_SESSION)
并查看/发布其内容。
答案 3 :(得分:0)
我已经通过为$ _SESSION ['key']赋值变量来解决这个问题。
$_SESSION['key'] = $check = 'check';
然后在profile.php中对此进行测试,我输入了以下代码:
if(isset(!$_SESSION['key'])){die ('example')}