我真的很困擾整個'只有登錄的用戶可以查看此頁'。 Php對我來說是新的,我似乎無法弄清楚這一點。也許這是一個愚蠢的問題,或者我的代碼是不正確的,但我真的想弄明白這一點。如何確保只有登錄用戶才能訪問頁面?
的login.php:
<?php
session_start();
function is_logged() {
if (isset($_SESSION['username'])) return $_SESSION['username'];
else return false;
}
if (is_logged()) {
$user_id = is_logged();
do_something($user_id);
} else {
if (isset($_POST['submit'])) { //form submitted
//check login and password, if they are correct, do this:
$_SESSION['username'] = $username_from_database;
//if not correct
unset($_SESSION['username']);
header('Location: welcome.php'); //refresh page
} else {
//show login form with button named 'submit'
}
}
?>
<html>
<head>
<title>Login</title>
</head>
<body>
<?php
if (!isset($_POST['submit'])){
?>
<!-- The HTML login form -->
<form action="<?=$_SERVER['PHP_SELF']?>" method="post">
Username: <input type="text" name="username" /><br />
Password: <input type="password" name="password" /><br />
<input type="submit" name="submit" value="Login" />
</form>
<?php
} else {
require_once("db_const.php");
$mysqli = new mysqli(DB_HOST, DB_USER, DB_PASS, DB_NAME);
# check connection
if ($mysqli->connect_errno) {
echo "<p>MySQL error no {$mysqli->connect_errno} : {$mysqli->connect_error}</p>";
exit();
}
$username = $_POST['username'];
$password = $_POST['password'];
$sql = "SELECT * from GEBRUIKERS WHERE username LIKE '{$username}' AND password LIKE '{$password}' LIMIT 1";
$result = $mysqli->query($sql);
if (!$result->num_rows == 1) {
echo "<p>Invalid username/password combination</p>";
} else {
echo "<p>Logged in successfully</p>";
// do stuffs
}
if (mysqli_num_rows($result) > 0) {
// Output data of each row
while($row = mysqli_fetch_assoc($result)) {
$_SESSION['+login_user']=$user; // Initializing Session
header("location: welcome.php"); // Redirecting To Other Page
}
}
else {
$error = "Username or Password is invalid";
}
mysqli_close($conn); // Closing Connection
}
?>
</body>
</html>
的welcome.php:
<?php
session_start();
?>
<!doctype html>
<html>
<head>
<meta charset="UTF-8">
<link rel="stylesheet" type="text/css" href="style.css"/>
<!--Header wordt opgehaald-->
</head>
<?php
require "header2.php"
?>
<?php
$servername = "localhost";
$username = "";
$password = "";
$database = "";
// Create connection
$conn = mysqli_connect($servername, $username, $password, $database);
// Check connection
if (!$conn) {
die("Connection failed: " . mysqli_connect_error());
}
echo "Connected successfully";
?>
<body>
<?php
//Perform queries
$sql = "SELECT acteur_voornaam, acteur_tussenvoegsel, acteur_achternaam, acteur_geboortedatum FROM FILM_ACTEURS";
$result = $conn->query($sql);
//Films
if ($result->num_rows > 0) {
echo "<table style='border: solid 1px grey; margin-left: auto; margin-right: auto; margin-top:50px;'><th>Voornaam</th><th>Tussenvoegsel</th><th>Achternaam</th><th>Geboortedatum</th></tr>";
// output data of each row
while($row = $result->fetch_assoc()) {
echo "<tr><td>" . $row["acteur_voornaam"] . "<td>" . $row["acteur_tussenvoegsel"]. "<td> " . $row["acteur_achternaam"]. "<td> " . $row["acteur_geboortedatum"] . "" . "</td></tr>";
}
echo "<table>";
} else {
echo "0 results";
}
$conn->close();
?>
</body>
<?php
//Footer wordt opgehaald
include "footer.php"
?>
</html>
頂部調用每個頁面上is_logged()'。並且如果它返回false重定向登錄.php –
**警告:**您打開'sql注入',請閱讀[如何使用預處理語句](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php)。 'sql注入'意味着你是開放的攻擊,他們可以訪問你的數據庫和manupulate它。 **另一個警告**將您的密碼進行哈希處理,將其保存爲數據庫時不會**。使用'password_hash()'和'password_verify()'來加密你的密碼。 – Nytrix
謝謝,我想我是開放的SQL注入。現在這是一個學校作業。 – Nienke