防止用户访问页面而不登录不工作

时间:2016-02-02 18:45:04

标签: php

当我尝试登录时,它不允许我这样做,但当我把它拿出来时,它允许我,但即使我退出它仍然允许我在页面上?

我知道有问题的区域是welcome.php中的PHP代码

的login.php:

<html>
<body>
    <form name="form1" method="post" action="connection.php">
        <td colspan="3"><strong>Member Login </strong></td>
        <td width="78">Username</td>
        <td width="6">:</td>
        <td width="294">
            <input name="myusername" type="text" id="myusername">
        </td>
        Password: 
        <input name="mypassword" type="text" id="mypassword">
        <input type="submit" name="Submit" value="Login">
    </form>
</body>
</html>

Connection.php:

<?php
    ob_start();
    $host="localhost"; // Host name 
    $username="root"; // Mysql username 
    $password=""; // Mysql password 
    $db_name="v2"; // Database name 
    $tbl_name="members"; // Table name 

    // Connect to server and select databse.
    mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
    mysql_select_db("$db_name")or die("cannot select DB");

    // Define $myusername and $mypassword 
    $myusername=$_POST['myusername']; 
    $mypassword=$_POST['mypassword']; 

    // To protect MySQL injection (more detail about MySQL injection)
    $myusername = stripslashes($myusername);
    $mypassword = stripslashes($mypassword);
    $myusername = mysql_real_escape_string($myusername);
    $mypassword = mysql_real_escape_string($mypassword);
    $sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";                            
    $result=mysql_query($sql);

    // Mysql_num_row is counting table row
    $count=mysql_num_rows($result);

    // If result matched $myusername and $mypassword, table row must be 1 row
    if($count==1){
        // Register $myusername, $mypassword and redirect to file "welcome.php"
        $_SESSION["myusername"];
        $_SESSION["mypassword"];
        header("location:welcome.php");
    }
    else {
        echo "Wrong Username or Password";
    }
    ob_end_flush();
?>

的welcome.php:

<?php
    session_start();
    if(!isset($_SESSION["myusername"])){
        header("location:login.php");
    }
?>

<html>
<body>
    You have successfully logged in!
    <br>
    <a href="logout.php">Logout</a>
</body>
</html>

2 个答案:

答案 0 :(得分:0)

您应该尽量避免直接访问超级全局变量。你可以使用php'filter_input(INPUT_POST,'username');代替。还要记得加密密码。也许您将密码加密到表中并且无法在“选择”查询中对其进行解密...正确完成它。

答案 1 :(得分:0)

我认为你需要改为

  // Register $myusername, $mypassword and redirect to file "welcome.php"
 $_SESSION["myusername"]=$myusername;
 $_SESSION["mypassword"]=$mypassword;

用于处理此if(!isset($_SESSION["myusername"]))

相关问题
最新问题