0
我已經在php中創建會話並限制了admin.php頁面。如果用戶未登錄,他/她或任何外星人/機器人都無法訪問該頁面。登錄後必須進入管理頁面。但它會在check.php中提到的contact.php。如果我不在admin.php中包含check.php。登錄後進入admin.php,但admin.php也可以在不登錄的情況下訪問。你能檢查我錯在哪裏嗎?如何使用PHP來保護我的HTML頁面?我得到錯誤
這是login.php--
<?php
include('connect.php'); // Include connect for login Script
if ((isset($_SESSION['username']) != ''))
{
header('Location: admin.php');
}
?>
<!DOCTYPE html>
<html>
<head>
<link href='http://fonts.googleapis.com/css?family=Montserrat:400,700' rel='stylesheet' type='text/css'>
<meta charset="UTF-8">
<title>Admin Login</title>
</head>
<body>
<div class="login-block">
<form action="" method="POST">
<h1>Login</h1><span><img src="/img/loginlogo.png"/></span>
<span id="invalid"><?php echo $error; ?></span>
<input type="text" name="username" placeholder="Username" id="username" />
<span><?php echo $usererror; ?></span>
<input type="password" name="password" placeholder="Password" id="password" />
<span><?php echo $pwderror; ?></span>
<input id= "btn" name="submit" type="submit" value=" Login "/>
<a href="register.php" id="frgt">Forgot Password</a>
<a href="register.php" id="register">Register Now</a>
</form>
</div>
</body>
</html>
這是admin.php--
<?php
include('check.php');
?>
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>Home</title>
<link rel="stylesheet" href="style.css" type="text/css" />
</head>
<body>
<h1 class="hello">Hello, <em><?php echo $login_user;?>!</em></h1>
<br><br><br>
<a href="logout.php" style="font-size:18px">Logout?</a>
</body>
</html>
這check.php--
<?php
include('db.php');
session_start();
$user_check=$_SESSION['username'];
$sql = mysqli_query($db,"SELECT username FROM credentials WHERE username='$user_check' ");
$row=mysqli_fetch_array($sql,MYSQLI_ASSOC);
$login_user=$row['username'];
if(!isset($user_check))
{
header("Location: contact.php");
}
?>
這是我的連接.php--
<?php
session_start();
include("db.php"); //Establishing connection with our database
$error = ""; //Variable for storing our errors.
if(isset($_POST["submit"]))
{
if(empty($_POST["username"]) || empty($_POST["password"]))
{
$usererror = "Username can not be left blank";
$pwderror = "Password can not be left blank";
}
else
{
// Define $username and $password
$username=$_POST['username'];
$password=$_POST['password'];
// To protect from MySQL injection
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysqli_real_escape_string($db, $username);
$password = mysqli_real_escape_string($db, $password);
//$password = md5($password);
//Check username and password from database
$sql="SELECT id FROM credentials WHERE username='$username' and password='$password'";
$result=mysqli_query($db, $sql);
$row=mysqli_fetch_array($result, MYSQLI_ASSOC);
//If username and password exist in our database then create a session.
//Otherwise echo error.
if(mysqli_num_rows($result) == 1)
{
$_SESSION['username'] = $login_user; // Initializing Session
header("location: admin.php"); // Redirecting To Other Page
}
else
{
$error = "Incorrect username or password.";
}
}
}
?>
你在學習某種教程嗎? – Martin
是的。但它不工作。你能幫忙嗎? –
我可以幫助你,並說你應該停止遵循該教程。它告訴你如何使用'HTML','PHP','MySQL'的所有內容都被棄用了,而不是最好的實踐和錯誤。 ***停止***使用該教程,拋開你的工作,閱讀'Prepared SQL Statements'以及'HTML5'和'PHP 7'。祝你好運。 – Martin