>我正在尝试使网站在那里,当管理员成功登录时,我有管理员登录系统,而不是分配会话,但此会话在页面刷新时过期。检查下面,我向您展示了我所做的事情。
目录
<form action="../../system/access/checking.php" class="form-signin">
<h2 class="form-signin-heading">Please sign in</h2>
<input type="text" id="user" class="form-control" placeholder="Email address" required autofocus>
<input type="password" id="pass" class="form-control" placeholder="Password" required>
<a class="btn btn-lg btn-primary btn-block" onclick="submitfom();" >Sign in</a>
</form>
阿贾克斯
function submitfom() {
$.ajax({
type: "POST",
url: "../../system/access/checking.php",
data: {user: $("#user").val(),pass: $("#pass").val()},
success: function(data){
if(data == true ){
window.location.href = '../../index.php';
} else {
$('#show-error').slideDown( "slow",function (){$('#show- error').html(data);$('#show-error').css("display","inline");});
};
}
});
}
.php
include('../../../config.php');
if((isset($_POST['user'])) && (isset($_POST['pass'])) ){
$user = $_POST['user'];
$pass = $_POST['pass'];
$query = mysql_query("SELECT user FROM admin_user WHERE user ='".$user."' ");
$query2 = mysql_query("SELECT pass FROM admin_user WHERE pass ='".$pass."' ");
$result= mysql_num_rows($query);
$result2= mysql_num_rows($query2);
if((!empty($result)) && (!empty($result2))){
session_set_cookie_params('3600');
session_start();
$_SESSION['admin']=$user ;
session_write_close();
echo true;
}
else {
echo "Please Write correct <strong>username and password</strong>";
}
}
else {
echo "Some thing miss";
}
删除
session_write_close();
移动
session_start()
到脚本的顶部(或者更好地在 PHP 配置中将 session.autostart 参数设置为 true。
mysql_query()
将在下一个 PHP 版本中删除,请改用 PDO。
代码中有 2 个 SQL 注入漏洞。
$query = mysql_query("SELECT user FROM admin_user WHERE user ='".$user."' ");
$query2 = mysql_query("SELECT pass FROM admin_user WHERE pass ='".$pass."' ");
如果您在两个字段中发布' or id=1,您将登录管理员(您可以暴力破解ID,电子邮件,用户名等字段以获得正确。而且这个列表会很小)。