我正在尝试将访问权限限制为php页面。 “ calendario.php”文件仅对以前通过“ login.php”登录的用户可见。
当前的问题:如果用户在浏览器中手动键入url,则他可以直接访问而无需凭据。我设法用“ if”来防止这种情况,但是即使这样也可以。该页面会暂时加载内容,因此,如果您足够熟练,则可以准确地暂停浏览器并访问信息。
这是我到目前为止尝试过的:
<?php
include("required/datos.php");
session_start();
if($_SERVER["REQUEST_METHOD"] == "POST") {
$myusername = mysqli_real_escape_string($db,$_POST['login']);
$mypassword = mysqli_real_escape_string($db,$_POST['password']);
$sql = "SELECT * FROM usuarios WHERE login = '$myusername' and BINARY password = '$mypassword'";
$result = mysqli_query($db,$sql);
$row = mysqli_fetch_array($result,MYSQLI_ASSOC);
$count = mysqli_num_rows($result);
if($count == 1) {
$_SESSION['login_user'] = $myusername;
$_SESSION['autorizado'] = TRUE;
header('location: calendario.php');
}else {
$message = "Credenciales incorrectas";
echo "<script type='text/javascript'>alert('$message');</script>";
header('Refresh: 0; URL=index.php');
}
}
?>
<?php
require_once('required/bdd.php');
session_start();
?>
<?php
if($_SESSION['autorizado']==true)
{
echo '<li class="active" style="padding-left: 15px">';
echo $_SESSION["login_user"];
echo ' - ';
echo '<a href="logout.php"><span>Desconectar</span></a></li>';
}
else
{
header('Refresh: 0; URL=index.php');
}
?>
<?php
$sql = "SELECT id, title, start, end, color FROM events ";
$req = $bdd->prepare($sql);
$req->execute();
$events = $req->fetchAll();
?>
我想知道您对如何改善这一点的看法。谢谢。
答案 0 :(得分:2)
这样:
{
header('Location: index.php');
exit;
}