我使用下面的代码来登录用户。当新的会话被创建时,它们被重定向到一个新的页面- content.php。我想知道什么是最好的方法/正确的方式来破坏会话和注销用户,重定向他们回到index.php。
<?php
if (isset($_REQUEST['signin'])){
$username = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT * FROM `user` WHERE username='$username' and password='$password'";
$result = mysql_query($query) or die(mysql_error());
$count = mysql_num_rows($result);
if ($count == 1){
$_SESSION['username'] = $username;
header('Location: content.php');
}
else{
echo "Invalid Login Credentials.";
}
}
if (isset($_SESSION['username'])){
$username = $_SESSION['username'];
header('Location: content.php');
}
?>
<form method="post" name="login">
<?php
if (isset($msg) & !empty($msg)) {
echo $msg;
}
?>
<label for="username">Username:</label><br>
<input type="text" name="username"><br>
<label for="password">Password:</label><br>
<input type="password" name="password"><br>
<button type="submit" name="signin">Sign in</button>
</form>
我知道这个脚本有缺陷(例如未加密的密码),但现在我正在寻找一个简单的脚本注销。
注销用户的最好和最简单的方法是销毁整个会话或取消设置必要的会话密钥。
session_destroy();
// or...
unset($_SESSION['username'];
header('Location: index.php');
我更喜欢unset,因为您可能希望在会话数组中存储更多数据。
首先你需要清理你的输入所以
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
现在,关于清除会话。注销脚本应该使用unset
unset($_SESSION['username']);
unset($_SESSION['password']);
session_start();
$_SESSION = array();
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
session_destroy();
header("Location: index.php"); exit;
首先,请在查询前检查查询变量,否则会有SQL注入的风险。
接下来,当您设置会话时,您必须在脚本的顶部调用session_start();来利用会话。
最后,要注销用户,只需调用session_destroy();,现有会话将被销毁。
我稍微重写了一下你的代码
<?php
session_start();
if (isset($_REQUEST['signin'])){
$username = $_POST['username'];
$password = $_POST['password'];
$sql_connection = new mysqli("dbHost", "dbUsername", "dbPassword", "dbName");
if($sql_connection->connect_errno){
die("db error");
}
$username = $sql_connection->real_escape_string($username);
$password = $sql_connection->real_escape_string($password);
$query = "SELECT * FROM `user` WHERE username='$username' and password='$password' LIMIT 1;";
$result = $sql_connection->query($query) or die("db error");
$count = $result->num_rows;
if ($count == 1){
$_SESSION['username'] = $username;
header('Location: content.php');
die();
}else{
echo "Invalid Login Credentials.";
}
}elseif(isset($_SESSION['username'])){
$username = $_SESSION['username'];
header('Location: content.php');
die();
}
?>
<form method="post" name="login">
<?php
if (isset($msg) & !empty($msg)) {
echo $msg;
}
?>
<label for="username">Username:</label><br>
<input type="text" name="username"><br>
<label for="password">Password:</label><br>
<input type="password" name="password"><br>
<button type="submit" name="signin">Sign in</button>
</form>
使用MySQLi而不是MySQL,因为即将删除。它还转义输入并建立会话。
<?php
if (!isset($_SESSION)) { session_start(); }
$_SESSION = array();
session_destroy();
header("Location: login"); //login.php if you havent setup your htaccess to use without.php
exit();
?>