我制作了一个自定义登录脚本,它运行得很好。但是,在重定向到主页后,$ _SESSION ['username']值将更改为“root”,无论它具有什么值。 “root”是我的数据库登录的用户名。
我必须手动输入所有这些内容,因此可能会有一两个明显的错误 -
main_login.php(sidebar.php上的php include_once,包含在每页上)
<?php
if(!isset ($_SESSION["username"])){
?>
<!-- Simple login form action="checklogin.php" method="post"-->
<?php
}else{
?>
<!-- Table to display welcome user, and logout link -->
checklogin.php:
session_start();
$db_name = "database";
$tbl_name = "users";
mysql_connect("localhost","root","password") or die("Cannot connect to SQL server");
mysql_select_db("$db_name")or die("Cannot select database.");
$username = $_POST['username'];
$password = $_POST['password'];
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$password = md5($password);
$sql = "SELECT * FROM $tbl_name WHERE username = '$username' and password = '$password'";
$result = mysql_query($sql);
$count = mysql_num_rows($result);
if($count == 1){
$_SESSION["username"] = $username;
$_SESSION["password"] = $password;
header("location:login_success.php");
}
else{
echo "<script type='text/javascript'>\n";
echo "setTimeout('redirect();',2000);\n";
echo "function redirect(){\n";
echo "window.location = 'index.php';\n";
echo "}\n";
echo "</script>\n";
echo "Wrong Username or Password";
login_success.php:
<?php
session_start();
if(!isset($_SESSION['username'])){
header("location:index.php");
}else{
session_regenerate_id();
}
// Apply permissions - problem existed before all of this code
mysql_connect("localhost","root","password") or die("Cannot connect to database.");
mysql_select_db("database") or die("Cannot select database.");
$username = $_SESSION['username'];
$query = "SELECT * FROM users WHERE username = '$username'";
$result = mysql_num_rows($result);
mysql_close();
$_SESSION['username'] = mysql_result($result,0,'username');
$_SESSION['permissions'] = mysql_result($result,0,'permissions');
?>
<html>
<head>
<script type="text/javascripnt">
setTimeout("redirect();",4000);
function redirect(){
window.location = "index.php";
}
</script>
</head>
<body>
Login Successful.
<?php echo "Welcome ".$_SESSION["username"].".";
var_dump($_SESSION); // var_dump reveals that $_SESSION['username'] is still the login name.
?>
</body>
</html>
一旦完成整个过程,一切都很好。但是,当它重定向到index.php时,$ _SESSION ['username']现在是'root'。
我想知道是否有人知道为什么会发生这种情况(所以我可以理解问题并在将来阻止它),以及实施的解决方案。
谢谢大家。
答案 0 :(得分:2)
这部分看起来很奇怪:
$query = "SELECT * FROM users WHERE username = '$username'";
$result = mysql_num_rows($result);
mysql_close();
$_SESSION['username'] = mysql_result($result,0,'username');
$_SESSION['permissions'] = mysql_result($result,0,'permissions');
试试这个:
$query = "SELECT * FROM users WHERE username = '$username'";
$result = mysql_query($result);
$_SESSION['username'] = mysql_result($result,0,'username');
$_SESSION['permissions'] = mysql_result($result,0,'permissions');
msql_close();
答案 1 :(得分:1)
答案很简单:
您的应用程序中有一些代码会将$ _SESSION ['username']值更改为“root”。
你必须调查你的代码并找到那个地方。没什么大不了的。
答案 2 :(得分:1)
为什么要在login_success.php上再次设置$ _SESSION ['username']变量你在check_login.php上设置变量,对吗?
这是我要做的事情
在login_success.php上打印出会话变量以查看最新情况。我几乎可以保证你的SQL查询正在发生一些事情。设置条件以确保您实际获得结果。
print_r($_SESSION);
if(!$_SESSION['username']) die('no session user name');
$query = "SELECT * FROM users WHERE username = '$username'";
$result = mysql_query($result);
if(mysql_num_rows($result) == 1){
$_SESSION['username'] = mysql_result($result,0,'username'); //why do you need this?
$_SESSION['permissions'] = mysql_result($result,0,'permissions');
mysql_close();
}
else die('no user found');
同样在checklogin页面上更改if语句以查找$ _SESSION ['username']中的实际变量,而不仅仅是设置它,我试图远离isset()。
对于上帝之爱不存储纯文本密码,实现安全密码哈希方案不需要任何费用。它非常容易利用php的crypt()函数,也可以检查这个开源安全方法。 http://www.openwall.com/phpass/
答案 3 :(得分:1)
好吧,
您的评论意义可能正确,您将其设置为root而未实现它。我刚刚意识到,经过2个小时的故障排除后,我就是这么做的!
无论我尝试了什么,$ _SESSION ['username']正在从真实用户名变为'root'。
我终于意识到$ _SESSION ['username']实际上并没有在任何地方改变,但$ username是。原因如下:
<?php
if(!empty($_SESSION['username'])){
$username = $_SESSION['username'];
require_once '../includes/connect_to_db.php';
echo $_SESSION['username']. ' is correct but '. $username. 'is not.';
}
?>
最后我们在所需的文件中看到connect_to_db.php:
<?php
$host="localhost"; // Host name
$username="root"; // mysql username
$password=""; // mysql password
$db_name="BH_web_DB"; // Database name
// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect: ". mysql_error());
mysql_select_db("$db_name")or die("cannot select DB");
?>
简单修复:
$db_username="root"; // mysql username
所以我实际上设置它太root =)希望这有助于另一个。