1. 首頁
  2. 問答
  3. 保護PHP網頁訪問

保護PHP網頁訪問

2015-09-15 136 views
0

我有一個用php和mysql編寫的登錄表單代碼(和一個數據庫打印代碼),由六部分組成:dbmanager.php,login.php,index.php,login_process.php,home.php和user.php。保護PHP網頁訪問

登錄過程正常,當有人輸入有效的用戶名和密碼時,該用戶被重定向到home.php。而且,如果有人輸入了無效的用戶名或密碼,該用戶將被重定向到login_process.php,表明它是無效的用戶名或密碼,這很好。

問題是,如果任何人直接進入home.php,那麼這個人是正確的身份驗證,而無需輸入任何用戶名或密碼。

你可以請我們指導我爲了確保home.php只爲數據庫中的用戶?

在此先感謝!我非常感謝你的幫助!

我的數據庫由四列組成:用戶名,密碼,姓氏和名字。

這是我的代碼:

dbmanager.php

<?php 
class DBManager{ 

    function getConnection(){ 

    $services = getenv("VCAP_SERVICES"); 
    $services_json = json_decode($services,true); 
    $mysql_config = $services_json["mysql-5.5"][0]["credentials"]; 

    $db = $mysql_config["name"]; 
    $host = $mysql_config["host"]; 
    $port = $mysql_config["port"]; 
    $username = $mysql_config["user"]; 
    $password = $mysql_config["password"]; 

    $conn = mysql_connect($host . ':' . $port, $username, $password); 

    if(! $conn){ 
     die('Could not connect: ' . mysql_error()); 
    } 

    mysql_select_db($db); 
    return $conn; 
    } 
} 
?>

的index.php

<?php 
    require 'user.php'; 
?> 
<html> 
    <head> 
    <title>DB Query PHP Page</title> 
    </head> 
    <body> 
    <p>SAMPLE PHP SITE</p> 
    <p>Contents of table User:</p> 
    <table border='1'> 
     <tr> 
     <td>Username</td> 
     <td>Password</td> 
     <td>Last Name</td> 
     <td>First Name</td> 
     </tr> 
    <?php 
     //refer to user.php for the implementation of the class User 
     $user_list = (new User())->selectAll(); 

     foreach($user_list as $user) { 
     echo '<tr>'; 
     echo '<td>'.$user->username.'</td>'; 
     echo '<td>'.$user->password.'</td>'; 
     echo '<td>'.$user->lastname.'</td>'; 
     echo '<td>'.$user->firstname.'</td>'; 
     echo '</tr>'; 
     } 
    ?> 
    </table> 

    <br><br> 
    Click <a href='login.php'>[here]</a> to test the login page.<br> 

    </body> 
</html>

的login.php

<html> 
    <head> 
    <title>Login Page</title> 
    </head> 
    <body> 
    <p>SAMPLE PHP SITE</p> 
    <p>Enter Username and Password to Login:</p> 
    <form action='login_process.php' method='post'> 
     <table border='1'> 
     <tr> 
      <td>Username:</td> 
      <td><input type='text' name='username'></td> 
     </tr> 
     <tr> 
      <td>Password:</td> 
      <td><input type='password' name='password'></td> 
     </tr> 
     <tr> 
      <td>&nbsp</td> 
      <td><input type='submit' value='Login'></td> 
     </tr> 
     </table> 
    </form> 
    </body> 
</html>

login_process.php

<?php 
    require 'user.php'; 
?> 
<?php 
    $user = new User(); 
    $user->username = $_REQUEST['username']; 
    $user->password = $_REQUEST['password']; 

    $found = $user->checkLogin(); 

    if ($found){//redirect to home page 
    session_start(); 
    $_SESSION['current_user']=$user; 

    header("Location: home.php"); 
    exit; 
    }else{//invalid username and password 
    echo "Invalid username/password. Click <a href='login.php'>[here]</a> to login again.<br>"; 
    echo "<br>"; 
    echo "You may also click <a href='index.php'>[here]</a> to see the list of usernames and passwords.<br>"; 
    } 
?>

home.php

<?php 
    require 'user.php'; 
?> 

    <html> 
     <head> 
     <title>Home Page</title> 
     </head> 
     <body> 
     <p>SAMPLE PHP SITE</p> 
     <p> 
      You have successfully logged in 

      <?php 
      session_start(); 

      $user = $_SESSION['current_user']; 

      echo $user->firstname.' '.$user->lastname.'.'; 
      ?> 
     </p> 

     <p>This is your home page.</p> 
     </body> 
    </html>

user.php的

<?php 
    require 'dbmanager.php'; 
?> 
<?php 
class User{ 

    var $username; 
    var $password; 
    var $lastname; 
    var $firstname; 

    function checkLogin(){ 
    $dbm = new DBManager(); 
    $conn = $dbm->getConnection(); 

    $username = mysql_real_escape_string($this->username); 
    $password = mysql_real_escape_string($this->password); 

    $sql_stmt = "SELECT * FROM User WHERE username = '".$username."' AND password = '".$password."'"; 


    //place in retval result of the SQL query 
    $retval = mysql_query($sql_stmt, $conn); 

    //check if SQL query is successful 
    if(! $retval){ 
     mysql_close($conn); 
     die('Could not read User table: ' . mysql_error()); 
    } 

    $found = false; 
    //get first retrieved row from retval 
    if ($dbfield = mysql_fetch_assoc($retval)) { 
     $found = true; 

     //initialize fields of this object with the columns retrieved from the query 
     $this->username = $dbfield['username']; 
     $this->password = $dbfield['password']; 
     $this->lastname = $dbfield['lastname']; 
     $this->firstname = $dbfield['firstname']; 
    } 

    return $found; 
    } 

    function selectAll(){ 
    $dbm = new DBManager(); 
    $conn = $dbm->getConnection(); 

    $sql_stmt = "SELECT * FROM User"; 

    //place in retval result of the SQL query 
    $retval = mysql_query($sql_stmt, $conn); 

    //check if SQL query is successful 
    if(! $retval){ 
     mysql_close($conn); 
     die('Could not read User table: ' . mysql_error()); 
    } 

    //create an empty array that will eventually contain the list of users 
    $user_list=array(); 


    //iterate each row in retval 
    while ($dbfield = mysql_fetch_assoc($retval)) { 
     //instantiate a user object 
     $user = new User();  

     //initialize fields of user object with the columns retrieved from the query 
     $user->username = $dbfield['username']; 
     $user->password = $dbfield['password']; 
     $user->lastname = $dbfield['lastname']; 
     $user->firstname = $dbfield['firstname']; 

     //add the user object in the array 
     $user_list[] = $user; 
    } 


    mysql_close($conn); 

    //return the array 
    return $user_list; 
    } 
} 
?>

來源

2015-09-15 Randall Núñez Aguilar

+0

使用'$ _SESSION'陣列的狀態,以測試用戶是否已經正確地或者沒有登錄。 – Scuzzy

回答

3

喲每一個單你的「安全」頁面需要用戶認證/驗證的東西。

這可能是因爲簡單的東西:

whatever.php:

<?php 
include("usercheck.php"); 
?> 

page stuff here...

usercheck.php:

<?php 
session_start(); 
if (!$_SESSION['logged_in']) { 
    header('Location: login.php'); 
    exit(); 
}

來源

2015-09-15 21:39:35

+0

你好,謝謝你的回答! 我剛剛用你提供給我的代碼創建了一個usercheck.php文件,然後將它包含到home.php文件中,但並不適用於我:-S我不知道如果我錯過了處理以及你向我解釋了什麼!請糾正我,並感謝您的時間! –

+0

您是否已將'!$ _ SESSION ['logged_in']'更改爲'!isset($ _ SESSION ['current_user'])'以適應您的代碼?這只是一個例子,不要盲目複製。 – Capsule

+0

我改變了current_user的logged_in之前,但沒有添加!isset,但現在它工作!朋友,謝謝!!! –

-1

基本上,你在你的本地目錄下創建一個lib目錄結構和lib中的所有文件都不會公開,但您仍然可以從您的php應用程序中訪問它們。

這裏是Cloud Foundry中的PHP應用程序的文件結構的例子:

alexs-mbp:ads-php-test adasilva$ ls -l 
total 72 
[email protected] 1 adasilva staff 490 Sep 14 23:00 README.txt 
[email protected] 1 adasilva staff 990 Sep 14 19:09 checklogin.php 
[email protected] 1 adasilva staff  2 Sep 14 23:00 composer.json 
[email protected] 3 adasilva staff 102 Sep 14 19:01 images 
drwxr-xr-x 3 adasilva staff 102 Sep 14 19:14 includes 
[email protected] 1 adasilva staff 709 Sep 14 23:00 index.php 
drwxr-xr-x 2 adasilva staff 68 Sep 15 17:41 lib 
[email protected] 1 adasilva staff 261 Sep 14 19:09 loginsuccess.php 
[email protected] 1 adasilva staff 88 Sep 14 19:11 logout.php 
[email protected] 1 adasilva staff 809 Sep 14 19:08 main_login.php 
[email protected] 1 adasilva staff 193 Sep 14 23:00 manifest.yml 
[email protected] 1 adasilva staff 1157 Sep 14 23:00 style.css 
alexs-mbp:ads-php-test adasilva$

lib目錄下的任何內容不會被公開曝光,讓你可以把你的home.php文件存在。

看到更多細節在這裏:

http://docs.cloudfoundry.org/buildpacks/php/gsg-php-usage.html

來源

2015-09-15 21:47:06

+0

感謝您的回答! 我只是這樣做,但在login_process.php我重定向到home.php我改變了頭(「位置:home.php」); for header(「Location:lib/home.php」);但不能正常工作,你能告訴我我做錯了什麼? if($ found){//重定向到主頁 session_start(); $ _SESSION ['current_user'] = $ user; header(「Location:lib/home.php」); 退出; –

相關問題

 相關問題