尝试使用会话进行常规身份验证和更新,但是当我点击链接时,即使到同一页面它只会闪烁“incorect id”而且必须刷新并重新登录意味着用户甚至无法更新自己的信息导航到其他页面。现在它在一个子域而不是一个完整的域,因为我做了开发测试所以也许这就是问题,但我想看看是否有任何敏锐的眼睛可以发现问题。
会话使用位于每个页面顶部的包含来处理
<?php // accesscontrol.php
include_once 'common.php';
include_once 'db.php';
include_once 'messages.php';
session_start();
$uid = isset($_POST['uid']) ? $_POST['uid'] : $_SESSION['uid'];
$pwd = isset($_POST['pwd']) ? $_POST['pwd'] : $_SESSION['pwd'];
$id = $_SESSION['id'];
if(!isset($uid)) {
?>
<!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Please Log In for Access </title>
<meta http-equiv="Content-Type"
content="text/html; charset=iso-8859-1" />
</head>
<body>
<h1> Login Required </h1>
<p>You must log in to access this area of the site. If you are
not a registered user, <a href="signup.php">click here</a>
to sign up for instant access!</p>
<p><form method="post" action="<?=$_SERVER['PHP_SELF']?>">
User ID: <input type="text" name="uid" size="8" /><br />
Password: <input type="password" name="pwd" SIZE="8" /><br />
<input type="submit" value="Log in" />
</form></p>
</body>
</html>
<?php
exit;
}
$_SESSION['id'] = $id;
$_SESSION['uid'] = $uid;
$_SESSION['pwd'] = $pwd;
$link = dbConnect('db_name');
$sql = "SELECT * FROM Users WHERE
LOWER(username) = '".mysqli_real_escape_string($link, strtolower($_POST[uid]))."' AND password = '".mysqli_real_escape_string($link, strtolower($_POST[pwd]))."'";
$result = mysqli_query($link, $sql);
if (!$result) {
error('A database error occurred while checking your '.
'login details.\nIfhis error persists, please '.
'contact '.$adminemail.'.');
}
if (mysqli_num_rows($result) == 0) {
unset($_SESSION['id']);
unset($_SESSION['uid']);
unset($_SESSION['pwd']);
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Access Denied </title>
<meta http-equiv="Content-Type"
content="text/html; charset=iso-8859-1" />
</head>
<body>
<h1> Access Denied </h1>
<p>Your user ID or password is incorrect, or you are not a
registered user on this site. To try logging in again, click
<a href="<?=$_SERVER['PHP_SELF']?>">here</a>. To register for instant
access, click <a href="<?=$signuppage?>">here</a>.</p>
</body>
</html>
<?php
exit;
}
$row = mysqli_fetch_array($result);
$First_Name = $row['First_Name'];
$Middle_Name = $row['Middle_Name'];
$Last_Name = $row['Last_Name'];
$email = $row['email'];
$notes = $row['notes'];
$id = $row['ID'];
主机分页格式类似于
<?php include 'includes/accesscontrol.php'; ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Members-Only Page </title>
<meta http-equiv="Content-Type"
content="text/html; charset=iso-8859-1" />
<link rel="stylesheet" href="includes/pwmeter.css" />
<link rel="stylesheet" href="includes/topnav.css" />
</head>
<body>
<?include('includes/nav_top_member.php');?>
<p>Welcome, <?=$username?>! You have entered a members-only area
of the site. Don't you feel special?</p>
答案 0 :(得分:0)
查询正在使用$_POST['uid']
和$_POST['pwd']
。如果用户已登录,则需要使用会话变量,而不是POST参数。这是在$uid
和$pwd
中,您设置在脚本的顶部。
$sql = "SELECT * FROM Users
WHERE LOWER(username) = '".mysqli_real_escape_string($link, strtolower($uid))."'
AND password = '".mysqli_real_escape_string($link, strtolower($pwd))."'";
您应该学习使用准备好的查询和mysqli_bind_param()
而不是转义和连接。并且您不应该在数据库中存储纯文本密码,或者在匹配密码时忽略大小写。