我的代码有三个问题。
-
如何只显示登录profile.php文件的用户名?因为我当前的代码显示的是每个用户名,无论谁登录。
-
如何限制profile.php页面,使其只有在用户登录时才能看到?
-
如何创建一个有效的注销页面?
以下是我的代码,按每个文件config.php//连接到数据库、login.php、profile.php和logout.php的顺序排列:
//------------------------config.php---------------
<?php
mysql_connect("localhost","root","");
mysql_select_db("login2");
?>
//------------------------login.php---------------
<?php
session_start();
require('config.php');
if(isset($_POST['submit'])){
$uname = mysql_escape_string($_POST['uname']);
$pass = mysql_escape_string($_POST['pass']);
$salt = '';
$pass = md5 ($pass . $salt);
$sql = mysql_query ("SELECT * FROM `users` WHERE `uname` = '$uname' AND `pass`= '$pass' ");
if(mysql_num_rows($sql) > 0){
header('location: profile.php');
exit();
}else{
echo "Wrong password or username";
}
}else{
$form = <<<EOT
<form action="login.php" method="POST">
Username : <br />
<input type="text" name="uname" />
<br />
<br />
Password : <br />
<input type="password" name="pass" />
<br />
<br />
<input type="submit" name="submit" value="log in" />
</form>
EOT;
echo $form;
}
?>
//------------------------profile.php---------------
<?php
require('config.php');
?>
<html>
<head>
</head>
<body>
<?php
$sql = mysql_query("SELECT * FROM users ");
while($row = mysql_fetch_array($sql)){
$name = $row['name'];
$lname = $row['lname'];
$uname = $row['uname'];
}
?>
<p>Welcome <b><?php echo $name; ?></b></p>
<a href="logout.php">logout</a>
</body>
</html>
//------------------------logout.php---------------
<?php
require('config.php');
session_destroy();
header('location: login.php');
exit();
?>
所有问题的答案:在PHP中使用$_SESSIONs。我忘了提一下,但你需要在计划使用$_SESSION
的每一页的顶部都有session_start()
。
// User Login
if(mysql_num_rows($sql) > 0){
$_SESSION['user_name'] = $_POST['uname'];
header('location: profile.php');
exit();
}else{
echo "Wrong password or username";
}
// Profile (Check if user is logged in)
if(isset($_SESSION['user_name']) && !empty($_SESSION['user_name'])){
// Show page
}
如何创建有效的注销页面?
你需要开始阅读,我推荐一本很棒的新书叫谷歌。
要显示用户名,请在验证后将用户名保存在会话值中
$sql = mysql_query ("SELECT * FROM `users` WHERE `uname` = '$uname' AND `pass`= '$pass' ");
if(mysql_num_rows($sql) > 0){
$_SESSION['username'] = $uname;
header('location: profile.php');
exit();
}else{
echo "Wrong password or username";
}
要限制对profile.php页面的访问,请在调用session_start()后在顶部和右侧添加
if(!isset($_SESSION['username'])) // not logged in
要创建注销页面,您需要销毁会话
注销.php
session_start();
if(isset($_SESSION['username'])) session_destroy();
else // not logged in
尝试这个
if(mysql_num_rows($sql) > 0){
session_start();
$_SESSION['userName']=$_POST['uname'];
header('location: profile.php');
exit();
}else{
echo "Wrong password or username";
}
profile.php
<?php
session_start();
if (!$_SESSION['userName']){
header('location: login.php');
}else{
echo $_SESSION['userName'];
}
?>
<html>
<head>
</head>
<body>
<?php
$sql = mysql_query("SELECT * FROM users ");
while($row = mysql_fetch_array($sql)){
$name = $row['name'];
$lname = $row['lname'];
$uname = $row['uname'];
}
?>
<p>Welcome <b><?php echo $name; ?></b></p>
<a href="logout.php">logout</a>
</body>
</html>
注销.php
unset($_SESSION['userName']);
您的问题的答案很简单,因为目前您在login.php上所做的一切都与您的profile.php无关。
在login.php中,您检查他们的用户名和密码,如果正确,则将其发送到profile.php,然后在profile.php上执行此操作,在新查询中从数据库中回显所有内容:"SELECT * FROM users "
这没有数据或参考你在login.php上检查他们的凭据。
你应该做的是,当你在login.php上检查他们的登录时,用他们正确的登录详细信息设置一个会话,比如:
//------------------------login.php---------------
<?php
session_start();
require('config.php');
if(isset($_POST['submit'])){
$uname = mysql_escape_string($_POST['uname']);
$pass = mysql_escape_string($_POST['pass']);
$salt = '';
$pass = md5 ($pass . $salt);
$sql = mysql_query ("SELECT * FROM `users` WHERE `uname` = '$uname' AND `pass`= '$pass' ");
if(mysql_num_rows($sql) > 0){
// ADDITIONAL CODE
while($row = mysql_fetch_array($sql)){
$_SESSION['logged_in']['name'] = $row['name'];
$_SESSION['logged_in']['lname'] = $row['lname'];
$_SESSION['logged_in']['uname'] = $row['uname'];
}
// END ADDITIONAL CODE
header('location: profile.php');
exit();
}else{
echo "Wrong password or username";
}
?>
//------------------------profile.php---------------
<?php
session_start();
require('config.php');
?>
<html>
<head>
</head>
<body>
<?php
// ADDITIONAL CODE
if ( !isset($_SESSION['logged_in']) )
{
header('location: login.php');
exit();
}
// END ADDITIONAL CODE
// Then use the session data to echo their name:
<p>Welcome <b><?php echo $_SESSION['logged_in']['name']; ?></b></p>
<a href="logout.php">logout</a>
</body>
</html>
//------------------------logout.php---------------
<?php
// ADDITIONAL CODE
session_start();
unset($_SESSION['logged_in']);
// END ADDITIONAL CODE
session_destroy(); //if you want..
header('location: login.php');
exit();
然而,这是一个简单的例子,注意:在profile.php上,我的附加代码只是检查是否设置了logged_in会话,这不是很安全。
根据profile.php上显示的数据,您可以/应该再次检查他们的登录信息。也许可以在数据库中检查他们的会话数据或IP,或者两者兼而有之。
重要注意事项:
您正在使用的代码相当不安全,并且使用了折旧后的函数mysql_query()
现在已经折旧,您应该使用PDO或Mysqli,并准备好报表。
如果你坚持要继续使用这个函数,至少从mysql_escape_string()
改为使用mysql_real_escape_string()
。
此外,md5()
不再被认为是一种安全的方法,请参阅此处:
http://php.net/manual/en/faq.passwords.php#faq.passwords.fasthash
至于盐析,不建议使用自己的(目前为NULL)。尝试使用:
http://php.net/manual/en/function.crypt.php
试试这个它的工作:
//------------------------config.php---------------
<?php
mysql_connect("localhost","root","");
mysql_select_db("login2");
?>
//------------------------login.php---------------
<?php
session_start();
require('config.php');
if(isset($_POST['submit'])){
$uname = mysql_escape_string($_POST['uname']);
$pass = mysql_escape_string($_POST['pass']);
$salt = '';
$pass = md5 ($pass . $salt);
$sql = mysql_query ("SELECT * FROM `users` WHERE `uname` = '$uname' AND `pass`= '$pass' ");
if(mysql_num_rows($sql) > 0){
header("location: profile.php?username=$uname&pass=$pass");
exit();
}else{
echo "Wrong password or username";
}
}else{
?>
<form action="login.php" method="POST">
Username : <br />
<input type="text" name="uname" />
<br />
<br />
Password : <br />
<input type="password" name="pass" />
<br />
<br />
<input type="submit" name="submit" value="log in" />
</form>
<?php
}
?>
//------------------------profile.php---------------
<?php
require('config.php');
$user = $_REQUEST['username'];
$passwd = $_REQUEST['pass']
?>
<html>
<head>
</head>
<body>
<?php
$sql = mysql_query("SELECT * FROM users where `uname` = '$user' AND `pass`= '$passwd' ");
do{
$uname = $row['uname'];
$_SESSION['uname'] = $uname;
$username = $_SESSION['uname'];
}while($row = mysql_fetch_array($sql));
?>
<p>Welcome <b><?php echo $name; ?></b></p>
<a href="logout.php">logout</a>
</body>
</html>
//------------------------logout.php---------------
<?php
require('config.php');
session_destroy();
header('location: login.php');
exit();
?>