我正在制作一个管理页面..我需要使此页面仅供某个有效的用户访问!然后我试图让任何未登录的用户都无法访问它,所以我使用了 -
if (isset($_SESSION["Username"]) && !isset($_POST["LOGIN"]))
if($_SESSION["Username"] == "sara")
在每个if语句上都会出现一条消息..如果用户首先没有登录,并且如果他不是管理员,但不知何故,即使管理员访问它,也会出现第一条消息..它允许它访问页面并显示表单,但消息仍然出现在页面底部..我的代码一团糟我已经尝试了两天了! 谁能帮忙请问我 ?我试图添加另一个,但出现错误.这是完整的代码 -
<?php
session_start();
include 'header.php';
if (isset($_SESSION["Username"]) && !isset($_POST["LOGIN"])) {
if($_SESSION["Username"] == "sara") {
$conn = new mysqli($database_host, $database_login, $database_pass, $database_name);
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
} else {
$sql = "SELECT `cat_id` , `cat_name` FROM categorys";
$result = $conn->query($sql);
}
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
} else {
if(isset($_POST['Submit'])) {
switch($_POST['Submit']) {
case 'Submit2':
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
} else {
$Thecategory = $_POST["Thecategory"];
$q="INSERT INTO categorys( cat_name) VALUES ('$Thecategory')";
if (mysqli_query($conn, $q)) {
echo "New record created successfully 2222";
} else {
echo "Error: " . $q. "<br>" . mysqli_error($conn);
}
}
break;
case 'Submit1':
$Levelid = $_POST["Levelid"];
$Levelserial = $_POST["Levelserial"];
$word = $_POST["word"];
$Thecategoryid = $_POST["taskOption"];
$picfile = $_POST["picfile"];
$fullword = $_POST["fullword"];
$spelledword= $_POST["spelledword"];
$sql="INSERT INTO questions( level_id, level_serial, q_word,q_cat_id , pic_file, word_file, s_word_file)
VALUES ('$Levelid','$Levelserial', '$word','$Thecategoryid ','$picfile' ,'$fullword','$spelledword')";
if (mysqli_query($conn, $sql)) {
echo "New record created successfully";
} else {
echo "Error: " . $sql . "<br>" . mysqli_error($conn);
}
break;
}
} else {
echo "
<!DOCTYPE html>
<html>
<form>
//form
</form >
<form method='"post'">
<label >Level id :</label>
<br>
<input type='"text'" name='"Levelid'" ><br>
<label > Level serial:</label>
<br>
<input type='"text'" name='"Levelserial'" ><br>
<label > The word is:</label>
<br>
<input type='"text'" name='"word'" ><br>
<label >The pic file is:</label>
<br>
<input type='"text'" name='"picfile'" v><br>
<label > The full word file :</label>
<br>
<input type='"text'" name='"fullword'" ><br>
<label >The spelled word file :</label>
<br>
<input type='"text'" name='"spelledword'" ><br>
";
echo"
<div >
<label for='"The category '">The category </label></br>
<select name='"taskOption'">
";
if ($result->num_rows > 0) {
while($row = $result->fetch_assoc()) { ?>
<option value="<?php echo $row['cat_id']; ?>">
<?php echo $row['cat_name']; ?>
</option> <?php } ?>
</select>
<?php } ?>
<br><br>
<?php
echo"
<input type='"Submit'" value='"Submit1'" name='"Submit'">
</form>
</div>
</body>
</html>
";
}
}
}
echo "
<head>
<title>Relogin Please </title>
</head>
<body>
<center>
<br/> <br/>
<div id='"content1'">
<div id='"relog'">
<h2 style='" color:black ; font-size: 25px;'">you're not admin </h2>
<a href='"login.php'"><img src='"PIC/NIE7J6OOT.PNG'" ></a>
</div>
</div>
<br/> <br/>
</center>
</body>
";
} else {
echo "
<head>
<title>Relogin Please </title>
</head>
<body>
<center>
<br/> <br/>
<div id='"content1'">
<div id='"relog'">
<h2 style='" color:black ; font-size: 25px;'">youare not admin </h2>
<a href='"login.php'"><img src='"PIC/NIE7J6OOT.PNG'"></a>
</div>
</div>
<br/> <br/>
</center>
</body>
";
}
?>
<?php include 'footer.php';?>
我需要放置一个 else 语句,但我不知道在哪里! 任何人都可以帮忙吗!
此代码不再安全:
如果 mypage.php 包含以下代码:
session_start();
$_SESSION['Username']=='sara';
echo "<a href='http://the.link-to-your-admin_page.php' target='_blank'>link</a>";
如果单击该链接,会话管理员 1 将被带到您的页面,并显示编辑按钮。
最安全的方法是在登录后立即设置令牌(这是一个非常简单的步骤)。例如$token = md5(uniqidsession(rsand(), true)); $_SESSION['token']=$token;
在每个页面的顶部放置以下内容:
if(!isset($_SESSION['token'])){ die('Access Denied');}
if(!isset($_SESSION['Username'])){ die('Access Granted');}
首先检查 SESSION 中的令牌携带,然后检查用户 ID,包括用户的权限级别。但是,只有您知道sara作为管理员,以防万一。这只是一个简单的方法,在开头放更多的指纹扫描代码,使拦截sessionid变得复杂。