会话变量不起作用? (PHP)

时间:2015-07-12 11:51:56

标签: php mysql session

我遇到了2个文件的问题:login_config.phpprofile.php

  • login_config.php由登录系统组成,该系统在完成多种身份验证后设置$ _SESSION [' key']为真。
  • profile.php是用户在成功后重定向到的页面。

我希望profile.php上的数据只能通过设置$ _SESSION [' key']来访问(成功登录后)。

我的问题:我的代码有什么不对?此外,为什么我在登录提交时出现错误,如果$ _SESSION [' key']为false /未设置,则应该返回错误,而不是目标profile.php页面?

代码:(login_config.php)

<?php

// POST VARIABLES
$submit = $_POST['login_submit'];
$username = $_POST['login_username'];
$password = $_POST['login_password'];
$email = $_POST['login_email'];

require 'password_config.php';

if(isset($submit)){

    require 'db/connect.php';

    // PASSWORD VERIFYING
    $pass_query = "SELECT password FROM users WHERE email='$email'";
    $queried = mysql_query($pass_query);
    while($row = mysql_fetch_array($queried)){
        $user_pass = $row['password'];
        $veri_password = password_verify($password, $user_pass);
    }
    if(!$veri_password === true){$errors[] = '-Account does not exist ';}

    // CHECKING NUM ROWS
    $sql = "SELECT id, username FROM users WHERE password='$user_pass' AND email='$email'";
    $entered_user = mysql_query($sql);
    $num_rows = mysql_num_rows($entered_user);


    // ERRS ARRAY ESTABLISHED
    $errors = array();

    // FURTHER VERIFYING
    if( empty($password) || empty($email) )
    {
        $errors[] = 'Please do not leave fields empty';
    }
    elseif( $num_rows != 1 )
    {
        $errors[] = '-Account does not exist ';
    }
    elseif( $num_rows == 1 )
    {
        session_start();
        $_SESSION['key'] === true;

        while($row = mysql_fetch_array($entered_user)){
            $_SESSION['id'] = $row['id'];
            $_SESSION['email'] = $email;
            $_SESSION['user'] = $row['username'];
            $_SESSION['pass'] = $password;
            header('Location: profile.php');
            exit();
        }

    }
}   

代码:(profile.php)

<?php

session_start();

if($_SESSION['key'] !== true){
    die ("please <a href='login.php'>log in</a> to view this page");
}
?>
<html>
<head>
    <title>Profile</title>
    <link href='css/main.css' rel='stylesheet' />
</head>
<body>
    <div id='container'>
        <?php require 'include/header.php'; ?>
        <?= 'NJM ID # ==>'.$_SESSION['id'].'<br />'.'Username ==>'.$_SESSION['user'].'<br/>'.'Password ==>'.$_SESSION['pass'].'<br/>'.'<br />' ?>
        <a href='logout.php'>Log out!</a>
        <br />
        -OR-
        <br />
        <p>Try our beta mode<a href='forum.php'> forum</a></p>
        <?php require 'include/footer.php'; ?>
    </div>
</body>
</html>

注意:我知道我在当前的代码状态下容易受到SQL攻击,我将在稍后修复此问题,同时我也不熟悉MySQL的弃用版本。

4 个答案:

答案 0 :(得分:4)

profile.php中,您必须在使用session_start();之前致电$_SESSIONsession_start()并不只是开始新会话,但也会继续现有会话(如果愿意,它将启动会话处理功能)。如果不调用它,则无法使用$_SESSION

答案 1 :(得分:1)

第一:我会使用termary运算符来检查我需要的值的存在,以避免&#34;未定义的索引&#39; login_username&#39;&#34;错误。像这样:

$username = isset($_POST['login_username']) ? $_POST['login_username'] : '';
$password = isset($_POST['login_password']) ? $_POST['login_password']) : '';
$email = isset($_POST['login_email']) ? $_POST['login_email'] : '';

第二:出于安全原因,我会使用PDO连接MySQL服务器,而不仅仅是。

session_start();

if (isset($submit)){
    // select all data from db for the current user
    $st = $db->prepare('SELECT * FROM users WHERE email=?');
    $st->execute([$email]);
    //$rows = count_rows_here
    if($rows == 1){
        $row = $stmt->fetch();
        if(password_verify($password, $row['pass'])){
            $_SESSION['key'] = true; // notice the '=', and not '==='
            $_SESSION['id'] = $row['id'];
            $_SESSION['email'] = $row['email'];
            $_SESSION['user'] = $row['username'];
            $_SESSION['pass'] = $row['password'];
            header('Location: profile.php');
       } else {
           echo 'Error!';
       }
   }
}

答案 2 :(得分:0)

在您浏览到下一个PHP页面后,我会首先尝试删除exit()调用。没有必要,因为你下面没有代码,它可能会影响会话(我不这么认为)

如果这不起作用(可能不会),请在开始会话profile.php后添加到var_dump($_SESSION)并查看/发布其内容。

答案 3 :(得分:0)

我已经通过为$ _SESSION ['key']赋值变量来解决这个问题。

$_SESSION['key'] = $check = 'check';

然后在profile.php中对此进行测试,我输入了以下代码:

if(isset(!$_SESSION['key'])){die ('example')}