保持在季節登錄活動php

Question

你好我有一個問題，我有2頁，一個它的登錄和一個它的私人頁面，當我登錄時，我嘗試去我的私人頁面真正的鏈接提供，我的私人頁面發回我登錄，像一個永無止境的圓圈。

• 我完全意識到它的簡單攻擊。
• 如果代碼看起來不好，因爲我正在學習。
• 預先感謝您。
• 我的登錄頁面

---

<html> 
<head> 
    <title>User Login Form - PHP MySQL Ligin System | W3Epic.com</title> 
</head> 
<body> 
<h1>User Login Form - PHP MySQL Ligin System | W3Epic.com</h1> 
<?php 
session_start("login"); 
if (!isset($_POST['submit'])){ 
?> 
<!-- The HTML login form --> 
    <form action="<?=$_SERVER['PHP_SELF']?>" method="post"> 
     Username: <input type="text" name="username" /><br /> 
     Password: <input type="password" name="password" /><br /> 

     <input type="submit" name="submit" value="Login" /> 
    </form> 
<?php 
} else { 
    require_once("db_const.php"); 
    $mysqli = new mysqli(DB_HOST, DB_USER, DB_PASS, DB_NAME); 
    # check connection 
    if ($mysqli->connect_errno) { 
     echo "<p>MySQL error no {$mysqli->connect_errno} : {$mysqli->connect_error}</p>"; 
     exit(); 
    } 

    $username = $_POST['username']; 
    $password = $_POST['password']; 
    $sql = "SELECT * from members WHERE username LIKE '{$username}' AND password LIKE '{$password}' LIMIT 1"; 
    $result = $mysqli->query($sql); 
    if (!$result->num_rows == 1) { 
     echo "<p>Invalid username/password combination</p>"; 
    } else { 
     echo "<table align=center><tr> 
     <font color=#000000 face=Arial, Helvetica, sans-serif size=+2> 
     <td align=center><p>Logged in successfully</p></td></tr>"; 
     echo "<tr><td align=center><p>welcome!</p></td></tr>"; 
     echo "<tr><td align=center><p>what wood you like to work whit today ". $username . "!</p></td></tr></table>"; 

     echo "<table align=center><tr><td align=center><a href=adminsearch.php> 
     <class\= color=#000000; face=Arial Black, Gadget, sans-seri;style=」text-decoration:none; size=+2>Admin</a></td>"; 

     echo "<td align=center>&hArr;</td>"; 

     echo "<td align=center><a href=constructionsearch.php> 
     <class\= color=#000000; face=Arial Black, Gadget, sans-seri;style=」text-decoration:none; size=+2>Construction</a></td>"; 

     echo "<td align=center>&hArr;</td>"; 

     echo "<td align=center><a href=drivingsearch.php> 
     <class\= color=#000000; face=Arial Black, Gadget, sans-seri;style=」text-decoration:none; size=+2>Driving</a></td>"; 

     echo "<td align=center>&hArr;</td>"; 

     echo "<td align=center><a href=industrialsearch.php> 
     <class\= color=#000000; face=Arial Black, Gadget, sans-seri;style=」text-decoration:none; size=+2>Industrial</a></td></font></table>"; 

} 
} 
?>  
</body> 
</html> 

這是我的私人網頁：

<?php 
if (isset($_SESSION['login']) && $_SESSION['login'] == true) { 
    echo "Welcome to the member's area, " . $_SESSION['username'] . "!"; 
} else { 
    header ("Location: login.php"); 
} 

?> 
<?php 
//load database connection 
require_once("db_search.php"); 
if (!isset($_POST['submit'])); 
    $pdo = new PDO("mysql:host=$host;dbname=$database_name", $user, $password, array(
    PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION 
    )); 
// Search from MySQL database table 




$search=$_POST['search']; 
$query = $pdo->prepare("select * from admin where psc LIKE '%$search%' OR trade LIKE '%$search%' LIMIT 0 , 10"); 
$query->bindValue(1, "%$search%", PDO::PARAM_STR); 
$query->execute(); 
// Display search result 
?> 
<html> 
<head> 
<title> How To Create A Database Search With MySQL & PHP Script | Tutorial.World.Edu </title> 
</head> 
<body> 
<form action="<?=$_SERVER['PHP_SELF']?>" method="post"> 
Search: <input type="text" name="search" placeholder=" Search here ... "/> 
<input type="submit" value="Submit" /> 
</form> 
<?php 
    if (!$query->rowCount() == 0) { 
    echo "Search found :<br/>"; 
    echo "<table style=\"font-family:arial;color:#333333;\">"; 
    echo "<tr> 
    <td style=\"border-style:solid;border-width:1px;border-color:#98bf21;background:#98bf21;\">First Name</td> 
    <td style=\"border-style:solid;border-width:1px;border-color:#98bf21;background:#98bf21;\">Last Name</td> 
    <td style=\"border-style:solid;border-width:1px;border-color:#98bf21;background:#98bf21;\">Trade</td> 
    <td style=\"border-style:solid;border-width:1px;border-color:#98bf21;background:#98bf21;\">Post Code</td> 
    <td style=\"border-style:solid;border-width:1px;border-color:#98bf21;background:#98bf21;\">Telephone</td> 
    <td style=\"border-style:solid;border-width:1px;border-color:#98bf21;background:#98bf21;\">Comments</td> 
    <td style=\"border-style:solid;border-width:1px;border-color:#98bf21;background:#98bf21;\">To be use</td></tr>";    
    while ($results = $query->fetch()) { 

    echo "<tr><td style=\"border-style:solid;border-width:1px;border-color:#98bf21;\">";    
    echo $results['f_name']; 

    echo "</td><td style=\"border-style:solid;border-width:1px;border-color:#98bf21;\">";   
    echo $results['l_name']; 

    echo "</td><td style=\"border-style:solid;border-width:1px;border-color:#98bf21;\">";   
    echo $results['trade']; 

    echo "</td><td style=\"border-style:solid;border-width:1px;border-color:#98bf21;\">";   
    echo $results['psc']; 

    echo "</td><td style=\"border-style:solid;border-width:1px;border-color:#98bf21;\">"; 
    echo $results['phone']; 

    echo "</td><td style=\"border-style:solid;border-width:1px;border-color:#98bf21;\">"; 
    echo $results['comm']; 

    echo "</td><td style=\"border-style:solid;border-width:1px;border-color:#98bf21;\">"; 
    echo("<button onclick=\"location.href='del.php?del=" . $results['id'] . "'\"> delete user</button>"); 

    echo "</td></tr>";    
    } 
    echo "</table>";   
    } else { 
    echo 'Nothing found'; 
    } 
?> 

Answer 1

你從來沒有真正叫session_start();在您的私人網頁，也不是你曾經在設置$_SESSION['login']您的登錄頁面。

登錄頁面

if (!$result->num_rows == 1) { 
     echo "<p>Invalid username/password combination</p>"; 
    } else { 
     $_SESSION['login'] = true; 

私人頁面

<?php 
session_start(); 
if (isset($_SESSION['login']) && $_SESSION['login'] == true) {