拒絕訪問PHP的登錄

Question

我有一個買家的形式，被稱爲 「Buyer.php」：

<form method="post" action="check_buyer.php" id="LoggingInBuyer"> 
    <div style="width:265px;margin:0; padding:0; float:left;"> 
    <label>Username:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<span><a href="#">Forgot Username?</span></a></label> <br /> 
    <input id="UserReg" style="width:250px;" type="text" name="userName" tabindex="1" class="required" /></div> 
    <div style="width:265px;margin:0; padding:0; float:right;"> 
    <label>Password:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<span><a href="#">Forgot Password?</span></a></label> <br /> 
    <input id="UserReg" style="width:250px;" type="password" name="userPass" tabindex="2" class="required" /></div> 
    <div class="clearB"> </div> 
    <input type="submit" style="width:100px; margin:10px 200px;" id="UserRegSubmit" name="submit" value="Login" tabindex="3" /> 
</form> 

一個名爲check_buyer.php（在相同的目錄）：

<?php 
session_start(); #recall session from index.php where user logged include() 

function isLoggedIn() 
{ 
    if(isset($_SESSION['valid']) && $_SESSION['valid']) 
     header('Location: buyer/'); # return true if sessions are made and login creds are valid 
    echo "Invalid Username and/or Password"; 
    return false; 
} 

require_once('../inc/db/dbc.php'); 

$connect = mysql_connect($h, $u, $p) or die ("Can't Connect to Database."); 
mysql_select_db($db); 

$LoginUserName = $_POST['userName']; 
$LoginPassword = mysql_real_escape_string($_POST['userPass']); 
//connect to the database here 
$LoginUserName = mysql_real_escape_string($LoginUserName); 
$query = "SELECT uID, uUPass, dynamSalt, uUserType FROM User WHERE uUName = '$LoginUserName';"; 

function validateUser($ifUserExists['uID'], $ifUserExists['uUserType']) { 
    $_SESSION['valid'] = 1; 
    $_SESSION['uID'] = $uID; 
    $_SESSION['uUserType'] = $uUserType; // 1 for buyer - 2 for merchant 
} 

$result = mysql_query($query); 
if(mysql_num_rows($result) < 1) //no such USER exists 
{ 
    echo "Invalid Username and/or Password"; 
} 
$ifUserExists = mysql_fetch_array($result, MYSQL_ASSOC); 

$dynamSalt = $ifUserExists['dynamSalt']; #get value of dynamSalt in query above 
$SaltyPass = hash('sha512',$dynamSalt.$LoginPassword); #recreate originally created dynamic, unique pass 

if($SaltyPass != $ifUserExists['uUPass']) # incorrect PASS 
{ 
    echo "Invalid Username and/or Password"; 
}else { 
    validateUser(); 
} 
// If User *has not* logged in yet, keep on /login 
if(!isLoggedIn()) 
{ 
    header('Location: index.php'); 
    die(); 
} 
?> 

//現在拋出錯誤：解析錯誤：語法錯誤，意外的'['，期待'）'在線23即function validateUser($ifUserExists['uID'], $ifUserExists['uUserType']) {

並在買方/目錄下的文件「的index.php」：

<?php 
session_start(); 
if($_SESSION['uUserType']!=1) 
{ 
    die("You may not view this page. Access denied."); 
} 

function isLoggedIn() 
{ 
    return (isset($_SESSION['valid']) && $_SESSION['valid']); 
} 

//if the user has not logged in 
if(!isLoggedIn()) 
{ 
    header('Location: index.php'); 
    die(); 
} 
?> 

<?php 
    if($_SESSION['valid'] == 1){ 
     #echo "<a href='../logout.php'>Logout</a>"; 
     require_once('buyer_profile.php'); 
    }else{ 
     echo "<a href='../index.php'>Login</a>"; 
    } 
?> 

這樣做的一點是，在輸入用戶名和密碼時，該用戶登錄並定向到/buyer/index.php，到該網站的部分爲buyer。似乎每次我使用我製作的虛擬憑證登錄時，它只是脫口而出：You may not view this page. Access denied。但是，如果我通過在瀏覽器中按回箭頭返回，它有我logged in和showing a link to logout。

我做了一些故障排除： 1）顯示在這裏，測試我的sql query是好的，的確如此。 http://i.stack.imgur.com/n2b5z.png

2）嘗試choing出echo 'the userid: ' . $userid;它哼唧約You may not view..之前，它不會顯示任何信息。

我該如何去得到這個userID？我雙重檢查的字段名稱在數據庫中，所有的罰款..

Answer 1

從快速檢查，它看起來像你設定validateUser()$_SESSION['uUserType'] = $userType，但似乎並沒有被傳遞$userType自己該功能。所以$_SESSION['uUserType']不會是1，但$_SESSION['valid']將是，因爲您將其設置爲validateUser()。

我懷疑你應該將有效數據傳遞到validateUser以便將其設置到會話中。

例如

validateUser($ifUserExists['uID'], $ifUserExists['uUserType']); 

function validateUser($uID, $uUserType) { 
    $_SESSION['valid'] = 1; 
    $_SESSION['uID'] = $uID; 
    $_SESSION['uUserType'] = $uUserType; // 1 for buyer - 2 for merchant 
}