[英]How can I display userID in Sessions?
I would like to get except of the username and user ID in a page. 除了页面中的用户名和用户ID,我想获取其他信息。 About that I created two php pages.
关于这一点,我创建了两个PHP页面。 Also my database consists of 3 columns userid, username, password.
另外,我的数据库由3列userid,用户名,密码组成。 The login.php page is
login.php页面是
<?php
session_start();
//@$userid = $_GET['userid'];
@$username = $_POST['username'];
@$password = $_POST['pass'];
if(@$_POST['Submit']){
if($username&&$password)
{
$connect = mysql_connect("localhost","*****","") or die("Cannot Connect");
mysql_select_db("project") or die("Cannot find the database");
$query = mysql_query("SELECT * FROM users WHERE username='$username'");
//$query = mysql_query("SELECT * FROM users WHERE userid='$userid' and username='$username'");
$numrows = mysql_num_rows($query);
if($numrows!=0)
{
while ($row = mysql_fetch_assoc($query))
//while ($row = mysql_fetch_array($query))
{
$dbuserid = $row['userid'];
$dbusername = $row['username'];
$dbpassword = $row['password'];
}
if($username==$dbusername&&$password==$dbpassword)
{
echo "You are login!!!!! Continue now with the survey <a href='mainpage.php'>here</a>";
$_SESSION['username']=$username;
$_SESSION['userid']=$userid;
}
else
{
echo "<b>Incorrect Password!!!!</b>";
}
}
else
//die("That user does not exist");
echo "<b>That user does not exist</b>";
}
else
echo "<b>You must enter a username and a password</b>";
}
?>
<!--<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">-->
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!--<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />-->
<title>Login Page</title>
<style type="text/css">
h2 {letter-spacing: 10px; font-size: .2in; background-color: #33CC00; color: #000000; text-transform:uppercase; width:260px}
span {color: #FF00CC}
legend {font-variant: small-caps; font-weight: bold}
fieldset {width: 260px; height: 100px; font-family: "Times New Roman", Times, serif; background-color: #CCCCCC; color: #000000}
label {display:block;}
.placeButtons {position: relative; left: 0px; width: 70px; margin: 5px; 0px;}
</style>
</head>
<body background="images/good.jpg">
<h2>Login Page</h2>
<form name="loginform" method='POST'>
<fieldset>
<legend>Form</legend>
<label>Username: <input type="text" name="username"/><span>*</span></label><br/>
<label>Password: <input type="password" name="pass"/><span>*</span></label>
<input class="placeButtons" type="reset" value='Reset'/>
<input class="placeButtons" type="submit" name="Submit" value='Login'/>
<a href='registration.php'>Register</a>
</fieldset><br>
<a href='firstpage.php'><-- Go Back</a>
</form>
</body>
</html>
and the page which is a welcome page of the user 和作为用户欢迎页面的页面
<?php
session_start();
if ($_SESSION['username'])
{
//echo "Welcome, ".$_SESSION['username']."! <a href='logout.php'>Logout</a>";
echo "Welcome, ".$_SESSION['username']."<br>".$_SESSION['userid']. "<a href='logout.php'>Logout</a>";
}
else
die("You must be logged in!!");
?>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!--<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />-->
<title></title>
</head>
<body background="images/good.jpg">
</body>
</html>
The problem is that in the welcome page it shows me only the username and not the UserID. 问题在于,在欢迎页面中,它仅显示用户名,而不显示UserID。 What am I missing?
我想念什么? Furthermore, I know that my login page is not the best and is a typical example of SQL injection attack.
此外,我知道我的登录页面并不是最好的登录页面,它是SQL注入攻击的典型示例。 I have to improve it.
我必须改善它。
A quick thing i noticed. 我注意到一个快速的事情。 That might be the problem.
那可能是问题所在。 The
$_SESSION['userid']
is getting value from $userid
which is not set. $_SESSION['userid']
正在从未设置的$userid
获取价值。 Also using @
to supress your error is not a good practice. 另外,使用
@
抑制错误不是一个好习惯。 use isset
to check if the variable is set and continue. 使用
isset
检查变量是否已设置并继续。
$_SESSION['userid'] = $userid; //where are you getting $userid from?
This should be 这应该是
$_SESSION['userid'] = $dbuserid;
Also instead of using statement like 也不要使用像
if ($_SESSION['username'])
First check if the variable is set like this 首先检查变量是否像这样设置
if ( isset($_SESSION['username']) ){
//now continue your work
}
and make sure you use ini_set('session_save_path', 'new_dir') or the function session_save_path when you are on a shared webhost. 并确保在共享的Web主机上时使用ini_set('session_save_path','new_dir')或函数session_save_path。 sessions that are in the same directory from different websites are prone to session stealing / snooping / modification.
来自不同网站的同一目录中的会话很容易被会话窃取/监听/修改。
I checked the PHP source code PHP doesn't keep track which session id's are made by with website (HOST) that why this attack works if the attacker has a account on the same webhosting 我检查了PHP源代码,PHP没有跟踪与网站(HOST)进行的会话ID,这说明了为什么攻击者在同一虚拟主机上拥有一个帐户的情况下,此攻击有效的原因
So never put to much trust in the SESSION array because you think it's safe because it's server generated it's not if you don't make countermeasures... 因此,切勿对SESSION数组寄予太大的信任,因为您认为它是安全的,因为它是服务器生成的,如果您不采取对策的话就不会...
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.