我有一個用php和mysql編寫的登錄表單代碼(和一個數據庫打印代碼),由六部分組成:dbmanager.php,login.php,index.php,login_process.php,home.php和user.php。保護PHP網頁訪問
登錄過程正常,當有人輸入有效的用戶名和密碼時,該用戶被重定向到home.php。而且,如果有人輸入了無效的用戶名或密碼,該用戶將被重定向到login_process.php,表明它是無效的用戶名或密碼,這很好。
問題是,如果任何人直接進入home.php,那麼這個人是正確的身份驗證,而無需輸入任何用戶名或密碼。
你可以請我們指導我爲了確保home.php只爲數據庫中的用戶?
在此先感謝!我非常感謝你的幫助!
我的數據庫由四列組成:用戶名,密碼,姓氏和名字。
這是我的代碼:
dbmanager.php
<?php
class DBManager{
function getConnection(){
$services = getenv("VCAP_SERVICES");
$services_json = json_decode($services,true);
$mysql_config = $services_json["mysql-5.5"][0]["credentials"];
$db = $mysql_config["name"];
$host = $mysql_config["host"];
$port = $mysql_config["port"];
$username = $mysql_config["user"];
$password = $mysql_config["password"];
$conn = mysql_connect($host . ':' . $port, $username, $password);
if(! $conn){
die('Could not connect: ' . mysql_error());
}
mysql_select_db($db);
return $conn;
}
}
?>
的index.php
<?php
require 'user.php';
?>
<html>
<head>
<title>DB Query PHP Page</title>
</head>
<body>
<p>SAMPLE PHP SITE</p>
<p>Contents of table User:</p>
<table border='1'>
<tr>
<td>Username</td>
<td>Password</td>
<td>Last Name</td>
<td>First Name</td>
</tr>
<?php
//refer to user.php for the implementation of the class User
$user_list = (new User())->selectAll();
foreach($user_list as $user) {
echo '<tr>';
echo '<td>'.$user->username.'</td>';
echo '<td>'.$user->password.'</td>';
echo '<td>'.$user->lastname.'</td>';
echo '<td>'.$user->firstname.'</td>';
echo '</tr>';
}
?>
</table>
<br><br>
Click <a href='login.php'>[here]</a> to test the login page.<br>
</body>
</html>
的login.php
<html>
<head>
<title>Login Page</title>
</head>
<body>
<p>SAMPLE PHP SITE</p>
<p>Enter Username and Password to Login:</p>
<form action='login_process.php' method='post'>
<table border='1'>
<tr>
<td>Username:</td>
<td><input type='text' name='username'></td>
</tr>
<tr>
<td>Password:</td>
<td><input type='password' name='password'></td>
</tr>
<tr>
<td> </td>
<td><input type='submit' value='Login'></td>
</tr>
</table>
</form>
</body>
</html>
login_process.php
<?php
require 'user.php';
?>
<?php
$user = new User();
$user->username = $_REQUEST['username'];
$user->password = $_REQUEST['password'];
$found = $user->checkLogin();
if ($found){//redirect to home page
session_start();
$_SESSION['current_user']=$user;
header("Location: home.php");
exit;
}else{//invalid username and password
echo "Invalid username/password. Click <a href='login.php'>[here]</a> to login again.<br>";
echo "<br>";
echo "You may also click <a href='index.php'>[here]</a> to see the list of usernames and passwords.<br>";
}
?>
home.php
<?php
require 'user.php';
?>
<html>
<head>
<title>Home Page</title>
</head>
<body>
<p>SAMPLE PHP SITE</p>
<p>
You have successfully logged in
<?php
session_start();
$user = $_SESSION['current_user'];
echo $user->firstname.' '.$user->lastname.'.';
?>
</p>
<p>This is your home page.</p>
</body>
</html>
user.php的
<?php
require 'dbmanager.php';
?>
<?php
class User{
var $username;
var $password;
var $lastname;
var $firstname;
function checkLogin(){
$dbm = new DBManager();
$conn = $dbm->getConnection();
$username = mysql_real_escape_string($this->username);
$password = mysql_real_escape_string($this->password);
$sql_stmt = "SELECT * FROM User WHERE username = '".$username."' AND password = '".$password."'";
//place in retval result of the SQL query
$retval = mysql_query($sql_stmt, $conn);
//check if SQL query is successful
if(! $retval){
mysql_close($conn);
die('Could not read User table: ' . mysql_error());
}
$found = false;
//get first retrieved row from retval
if ($dbfield = mysql_fetch_assoc($retval)) {
$found = true;
//initialize fields of this object with the columns retrieved from the query
$this->username = $dbfield['username'];
$this->password = $dbfield['password'];
$this->lastname = $dbfield['lastname'];
$this->firstname = $dbfield['firstname'];
}
return $found;
}
function selectAll(){
$dbm = new DBManager();
$conn = $dbm->getConnection();
$sql_stmt = "SELECT * FROM User";
//place in retval result of the SQL query
$retval = mysql_query($sql_stmt, $conn);
//check if SQL query is successful
if(! $retval){
mysql_close($conn);
die('Could not read User table: ' . mysql_error());
}
//create an empty array that will eventually contain the list of users
$user_list=array();
//iterate each row in retval
while ($dbfield = mysql_fetch_assoc($retval)) {
//instantiate a user object
$user = new User();
//initialize fields of user object with the columns retrieved from the query
$user->username = $dbfield['username'];
$user->password = $dbfield['password'];
$user->lastname = $dbfield['lastname'];
$user->firstname = $dbfield['firstname'];
//add the user object in the array
$user_list[] = $user;
}
mysql_close($conn);
//return the array
return $user_list;
}
}
?>
使用'$ _SESSION'陣列的狀態,以測試用戶是否已經正確地或者沒有登錄。 – Scuzzy