我需要一些关于为我的项目创建登录名/帐户的最佳方法的建议。
以下是我此刻正在做的事情。
我使用一个名为register.php的页面注册用户。我获取了用户的详细信息,并将它们保存在mysql数据库中。并且我在我的服务器上为该用户创建一个CCD_ 2。
一旦创建了subdomain,我就把服务器上一个目录中的一些文件copy放到那个子域中。在这些复制的文件中,我有login页面,它会要求用户登录,以便他们可以访问自己的帐户(帐户是在他们注册时为他们创建的子域)。
所以。。。
the user #1 created an account and given this URL: user1.mysite.com/login.php
和
the user #2 created an account and given this URL: user2.mysite.com/login.php
一旦他们成功登录,将被定向到其帐户的index.php,该帐户为user1.mysite.com/index.php或user2.mysite.com/index.php,具体取决于哪个用户从哪个URL/帐户登录。
所有这些都发挥了应有的作用。
现在,我面临的问题是:
如果user #1尝试从user #2 URL/帐户(user2.mysite.com/login.php)登录,它们将指向自己的URL/帐户,即(user1.mysite.com/login.php
无论如何,
如果同一用户(user #1)导航回以前的URL,即user2.mysite.com/login.php,则他们会自动登录到不属于他们的帐户,该帐户属于用户#2,即使他们使用了自己的登录详细信息!
所以基本上,任何人都可以登录到别人的帐户
我的登录页面使用PHP中的SESSION。我正在使用以下代码:
登录页面:
ob_start();
session_start();
if (isset($_SESSION["manager"])) {
header("location: index.php");
exit();
}
if (isset($_POST["email"]) && isset($_POST["password"])) {
$manager = $_POST["email"]; // filter everything but numbers and letters
$password = (!empty($_POST['password'])) ? sha1($_POST['password']) : ''; // filter everything but numbers and letters
$storenameTable = $_REQUEST['storeShop'];
// Connect to the MySQL database
include "config/connect.php";
$sql = "SELECT members.id, members.email, members.password, members.randKey, members.storeShop, storename.email, storename.password, storename.randKey, storename.storeShop
FROM members
INNER JOIN storename ON members.randKey = storename.randKey
WHERE members.email = '$manager'
AND members.password = '$password'
";
$result = mysqli_query($db_conx,"SELECT storeShop FROM members WHERE email='$manager' AND password='$password'");
while($row = mysqli_fetch_array($result))
{
$email = $row["email"];
$password = $row["password"];
$storeShop = $row["storeShop"];
$_SESSION['email'] = $email;
$_SESSION['password'] = $password;
$_SESSION['storeShop'] = $storeShop;
}
// query the person
// ------- MAKE SURE PERSON EXISTS IN DATABASE ---------
$query = mysqli_query($db_conx, $sql);
if (!$query) {
die(mysqli_error($db_conx));
}
$existCount = mysqli_num_rows($query); // count the row nums
if ($existCount == 1) { // evaluate the count
$row = mysqli_fetch_array($query, MYSQLI_ASSOC);
$_SESSION["id"] = $row["id"];
$_SESSION["manager"] = $manager;
$_SESSION["password"] = $password;
header("location: http://$storeShop.mysite.com/index.php");
exit();
} else {
echo 'That information is incorrect, try again <a href="login">Click Here</a>';
exit();
}
}
<form action="login.php" method="post" enctype="multipart/form-data" name="logform" id="logform" onsubmit="return validate_form ( );">
<div class="lock-holder">
<div class="form-group pull-left input-username">
<div class="input-group">
<input name="email" type="text" class="form-control " id="email" value="email">
<span class="input-group-addon"><i><img src="images/membericon.png" width="22" height="20"></i></span>
</div>
</div>
<div class="form-group pull-right input-password">
<div class="input-group">
<input name="password" type="password" class="form-control " id="password" placeholder="************" >
和我的index.php
session_start();
if (!isset($_SESSION["manager"])) {
header("location: login.php");
exit();
}
// Be sure to check that this manager SESSION value is in fact in the database
$managerID = preg_replace('#[^0-9]#i', '', $_SESSION["id"]); // filter everything but numbers and letters
$manager = $_POST["email"]; // filter everything but numbers and letters
$password = (!empty($_POST['password'])) ? sha1($_POST['password']) : ''; // filter everything but numbers and letters
$storenameTable = $_REQUEST['storeShop'];
// Run mySQL query to be sure that this person is an admin and that their password session var equals the database information
// Connect to the MySQL database
include "config/connect.php";
$sql = "SELECT members.id, members.email, members.password, members.randKey, members.storeShop, storename.email, storename.password, storename.randKey, storename.storeShop
FROM members
INNER JOIN storename ON members.randKey = storename.randKey
WHERE members.email = '$manager'
AND members.password = '$password'
"; // query the person
// ------- MAKE SURE PERSON EXISTS IN DATABASE ---------
$query = mysqli_query($db_conx, $sql);
if (!$query) {
die(mysqli_error($db_conx));
}
$result = mysqli_query($db_conx,"SELECT storeShop FROM members WHERE email='$manager' AND password='$password'");
while($row = mysqli_fetch_array($result))
{
$email = $row["email"];
$password = $row["password"];
$storeShop = $row["storeShop"];
$_SESSION['email'] = $email;
$_SESSION['password'] = $password;
$_SESSION['storeShop'] = $storeShop;
}
$existCount = mysqli_num_rows($query); // count the row nums
if ($existCount == 0) { // evaluate the count
while($row = mysqli_fetch_array($query, MYSQLI_ASSOC)){
header("location: login.php");
exit();
}
}
有人能就这个问题提出建议吗?
提前谢谢。
所以基本上任何用户都可以登录任何用户的帐户,这是你的主要问题吗?你可以将URL子域中的用户名与他们在登录表单中提供的用户名进行比较,如果不匹配,他们将被拒绝访问。
在您的login.php页面中放入此
$url = $_SERVER["HTTP_HOST"]; // not sure whether this gets the subdomain, try it
$user_subdomin = explode(".", $url);
if(isset($form_submitted)){
if($user_subdomin[0] == $_POST["username"]){
if($_POST["password"] == $password_from_db){ // where username equals form username
// Set Sessions, do header redirect.
}
else print "You are in the wrong place!";
}
else // print form.
在需要用户登录的页面上,比如index.php或admin.php,或者其他什么东西:
$url = $_SERVER["HTTP_HOST"]; // not sure whether this gets the subdomain, try it
$user_subdomin = explode(".", $url);
if($_SESSION["username"] != $user_subdomin){
header("Location: ".$_SESSION["username"].".domin.com");
// this take the user to the correct place
}