$ _SESSION变量仅存储某些值

时间:2017-10-19 08:26:40

标签: php html session mysqli

我有一个名为login.php的登录页面,其中包含以下php代码:

  <?php
    session_start();
    include ('databaseconnect.php');

 if(isset($_POST['login'])){
   $username = mysqli_real_escape_string($db, $_POST['username']);
   $password = mysqli_real_escape_string($db, $_POST['password']);

 $query = "select Username, Userid, user_type from Users
           where username = '$username'
           and password = '$password' LIMIT 1";
 $result = mysqli_query($db, $query);

 if (mysqli_num_rows($result) == 1) {
    $username = mysqli_fetch_assoc($result);
 if ($username ['user_type'] == 'owner') {
        $_SESSION['username'] = $username['Username'];    
        $_SESSION['userid'] = $userid['Userid'];          
        $_SESSION['user_type'] = $user_type['user_type']; 
        header('location:adminmain.php');
}else{
    $_SESSION['username'] = $username['Username'];       
    $_SESSION['userid'] = $userid['Userid'];             
    $_SESSION['user_type'] = $user_type['user_type'];    
    header('location:usermain.php');
      }
     }
    }
   }
  ?>

一个人的用户名&#39;,&#39;用户ID&#39;和&#39; user_type&#39;从他们登录时开始假设是$ _SESSION。当一个人登录时,会出现一个名为create_topic.php的页面,其中包含以下代码:

    <?php
      include ('dataconnect.php');

      $sql1= "SELECT Categoryid, Categoryname, Categorydescription 
             FROM Categories"; 
      $result1 = mysqli_query($db,$sql1);

   if (!$result1)
      {
     echo "No Category Found, Contact the administrator" </p>; 
      }

   function getPosts()
   {
    $posts = array();
    $posts[0] = $_POST['topic_subject'];
    $posts[1] = $_POST['topic_category'];
    $posts[2] = $_SESSION['username']; var_dump($_SESSION);
    return $posts;
   } 

   if (isset($_POST['createtopicbutton'])) 
    {  

   $data = getPosts();

   $sql2 = "INSERT INTO Topics(Topic_subject, Topic_category, Topic_by)          
              VALUES('$data[0]','$data[1]', '$data[2]')";

   $result2 = mysqli_query($db,$sql2);

   if ($result2)
    {
       echo  "<p> Topic Successfully Created </p>";
  }else{
       echo "<p> Topic NOT! Successfully Created, Contact the administrator 
              </p>. mysqli_error($db); 
       } 
      }
    ?>   

但是,当执行上面的代码时,我收到以下错误:

  

您的SQL语法有错误;检查手册   对应于您的MySQL服务器版本,以便使用正确的语法   接近&#39;不正确的整数值:&#39;&#39;对于专栏&#39; Topic_by&#39;在第1行   价值观(&#39; t&#39;第1行。

所以我做了一个var_dump我发现了这个:

 array (size=3)
 'username' => string 'Owner1' (length=6)
 'userid' => null
 'user_type' => null. 

所以我特别要问的是&#39;用户名&#39;存储,但&#39;用户ID&#39;和&#39; user_type&#39;在login.php页面上声明时为null。非常感谢您的帮助和帮助。

1 个答案:

答案 0 :(得分:1)

您的变量不正确,请尝试:

 if (isset($_POST['login']))
{
    $username = mysqli_real_escape_string($db, $_POST['username']);
    $password = mysqli_real_escape_string($db, $_POST['password']);

    $query = "select Username, Userid, user_type from Users
           where username = '$username'
           and password = '$password' LIMIT 1";
    $result = mysqli_query($db, $query);

    if (mysqli_num_rows($result) == 1)
    {
        $user = mysqli_fetch_assoc($result);
        if ($user ['user_type'] == 'owner')
        {
            $_SESSION['username'] = $user['Username'];
            $_SESSION['userid'] = $user['Userid'];
            $_SESSION['user_type'] = $user['user_type'];
            header('location:adminmain.php');
        } else
        {
            $_SESSION['username'] = $user['Username'];
            $_SESSION['userid'] = $user['Userid'];
            $_SESSION['user_type'] = $user['user_type'];
            header('location:usermain.php');
        }
    }
}

仅定义了$username$userid$user_type不是,user_typeuserid$username的索引,而不是单独的变量。因此,请使用$user,以便更具可读性。

警告!

Little Bobby your script is at risk for SQL Injection Attacks. 了解preparedMySQLi语句。即使escaping the string也不安全!