2012-08-15 97 views
1

我在$_SESSION變量中遇到了很多麻煩。我正在嘗試爲用戶登錄和註銷創建一種方法。我可以登錄一個用戶,但我似乎無法保持會話,當我切換頁面。當用戶正確登錄時,他們被帶到profile.php。但是,如果我回到index.php打印以下錯誤:無法驗證用戶身份

Notice: Undefined index: login in /Applications/MAMP/htdocs/www/Shared sites/userlogreg/index.php on line 3

我很新的這一點,但距離使面色上和其他地方我似乎無法弄清楚。任何幫助,將不勝感激。

的index.php

<?php 
session_start(); 
if ($_SESSION['login'] == 1) { 
    echo "<h1>Logged in!</h1>"; 
} else { 
    echo "<h1>Not logged in</h1><br/>"; 
} 

?> 
<!DOCTYPE HTML> 
<html> 
<head> 
    <title>Index page</title> 
</head> 
<body> 
    <h2>Login</h2> 
    <form action="login.php" method="POST"> 
     <div> 
      <label for="emailSignIn">Email:</label> 
      <input type="email" name="email" placeholder="Email" required="required" /> 
     </div> 
     <div> 
      <label for="passwordSignIn">Password:</label> 
      <input type="password" name="password" placeholder="Password" required="required" /> 
     </div> 
     <input type="submit" name="submit" value="Sign in" /> 
    </form> 

    <h2>Register</h2> 
    <form action="register.php" method="POST"> 
     <div> 
      <label for="firstnameRegister">First name:</label> 
      <input type="text" name="firstname" placeholder="First name" required="required" /> 
     </div> 
     <div> 
      <label for="lastnameRegister">Last name:</label> 
      <input type="text" name="lastname" placeholder="Last name" required="required" /> 
     </div> 
     <div> 
      <label for="emailRegister">Email:</label> 
      <input type="email" name="email" placeholder="Email" required="required" /> 
     </div> 
     <div> 
      <label for="passwordRegister">Password:</label> 
      <input type="password" name="password" placeholder="Password" required="required"> 
     </div> 
     <input type="submit" name="submit" value="Create account" /> 
    </form> 

</body> 

</html> 

的login.php

<?php 

$email = sanitize_input($_POST['email']); //echo "Sanitized email: ".$email; echo "<br/>"; 
$password = $_POST['password']; //echo "Inputted password: ".$password; echo "<br/>"; 

if ((!isset($email)) || (!isset($password))) { 
    // VISITOR NEEDS TO ENTER AN EMAIL AND PASSWORD 
    //echo "Data not provided"; 
} else { 
    // CONNECT TO MYSQL 
    $mysql = mysqli_connect("localhost", "root", "root"); 
    if(!$mysql) { 
    //echo "Cannot connect to PHPMyAdmin."; 
    exit; 
    } else { 

    } 
} 
// SELECT THE APPROPRIATE DATABASE 
$selected = mysqli_select_db($mysql, "languageapp"); 
if(!$selected) { 
    //echo "Cannot select database."; 
    exit; 
} else { 

} 

// GET THE USER'S UNIQUE SALT FROM THE DATABASE 
$unique_salt = mysqli_query($mysql, "select uniqueSalt from user where email = '".$email."'"); 
$row = mysqli_fetch_array($unique_salt); 
//echo "Salt: ".$row['uniqueSalt']; echo "<br/>"; 

// HASH THE PASSWORD 
$iterations = 10; 
$hashed_password = crypt($password,$row['uniqueSalt']); 
for ($i = 0; $i < $iterations; ++$i) 
{ 
    $hashed_password = crypt($hashed_password . $password,$row['uniqueSalt']); 
} 

//echo "Password entered by user: ".$hashed_password; echo "<br/>"; 

$user_db_password = mysqli_query($mysql, "select password from user where email = '".$email."'"); 
$row = mysqli_fetch_array($user_db_password); 
//echo "User's password: ".$row['password']; echo "<br/>"; 

// query the database to see if there is a record which matches 
$query = "select count(*) from user where email = '".$email."' and password = '".$hashed_password."'"; 
$result = mysqli_query($mysql, $query); 
if(!$result) { 
    //echo "Cannot run query."; 
    exit; 
} 

$row = mysqli_fetch_row($result); 
$count = $row[0]; 

if ($count > 0) { 
    session_start(); 
    $_SESSION['login'] = 1; 
    $_SESSION['email'] = $email; 
    $_SESSION['errors'] = ""; 
    header("location:profile.php"); 
    //echo "<h1>Login successful!</h1>"; 
    //echo "<p>Welcome.</p>"; 
    //echo "<p>This page is only visible when the correct details are provided.</p>"; 
} else { 
    session_start(); 
    $_SESSION['login'] = ''; 
    header("location:index.php"); 
    //echo "<h1>Login unsuccessful!</h1>"; 
    //echo "<p>The email and password combination entered was not recognized</p>"; 
} 

// CLEAN THE INPUT 
function sanitize_input($data) 
{ 
    $data = trim($data); 
    $data = stripslashes($data); 
    $data = htmlspecialchars($data); 
    return $data; 
} 

?> 
+0

幾周前,我在尋找相同的東西時也遇到了麻煩,但最終在別人的博客上發現了它。 – 2012-08-15 18:01:13

+0

你正在使用'mysqli'在正確的軌道上,但是你錯用了它。 'sanitize_input'是** NOT **在你的SQL查詢中使用適當的佔位符的替代。你應該**不要**直接使用'$'vars,而是使用'?'佔位符。 – tadman 2012-08-15 19:19:46

+0

@tadman你能解釋一下嗎?這個想法是不是改變用戶的輸入,而是改變數據的重複(佔位符)?也許你可以指示我一些關於它的信息。謝謝。 – garethdn 2012-08-16 12:15:53

回答

4

改變這一行:

if ($_SESSION['login'] == 1) { 

..to這樣的:

if (isset($_SESSION['login']) && $_SESSION['login'] == 1) { 

這樣,您在檢索之前檢查是否設置了'login'

+0

太棒了!這很容易 - 我擔心我做了一些大錯特錯的事情。謝謝 – garethdn 2012-08-15 17:59:53

+0

@garethdn如果答案有幫助,不要忘記標記正確! :) – Eric 2012-08-15 21:00:28