[英]Login Form and Protecting Pages only for Logged in Users?
I've created a login form in PHP that works ok, but I've realised my page my user is directed too can still be accessed by anybody. 我已经在PHP中创建了一个可以正常运行的登录表单,但是我意识到我的用户所指向的页面仍然可以被任何人访问。 How do I go on protecting the pages for it to be only accessible only by those who are logged into the site?
我该如何继续保护页面,使其只有登录该站点的用户才能访问?
Do I need to place a script on the success page itself? 我是否需要在成功页面本身上放置脚本?
I've tried quite a few different things, but not sure what is going on. 我尝试了很多不同的事情,但是不确定发生了什么。 Here is what I have so far!
这是我到目前为止所拥有的!
checking_login.php Checking_login.php
<?php
ob_start();
$host=""; // Host name
$username=""; // Mysql username
$password=""; // Mysql password
$db_name=""; // Database name
$tbl_name=""; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
$_SESSION['username'] = $myusername;
$_SESSION['password'] = $mypassword;
header("location: portkey.php");
}
else {
echo "Wrong Username or Password. ";
}
ob_end_flush();
?>
Here is the page part of where I was talking about redirecting the page too. 这也是我刚才所说的重定向页面的页面部分。 (Its still public to everyone).
(仍对所有人公开)。
<?php
session_start();
$host=""; // Host name
$username=""; // Mysql username
$password=""; // Mysql password
$db_name=""; // Database name
$tbl_name="members"; // Table name
session_start();
if(!isset($_SESSION['myusername'])) {
header("location:login.php");
}
?>
Login is the page with the form. 登录是带有表单的页面。 The table/users.
表/用户。
<table width="300" border="0" align="center" cellpadding="0" cellspacing="1">
<tr>
<form name="form1" method="post" action="checking.php">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1">
<tr>
</tr>
<tr>
<td width="78">Username</td>
<td width="0">:</td>
<td width="294"><input name="myusername" type="text" id="myusername"></td>
</tr>
<tr>
<td>Password</td>
<td>:</td>
<td><input name="mypassword" type="text" id="mypassword"></td>
</tr>
<tr>
<td> </td>
<td> </td>
<td><input type="submit" name="Submit" value="Login"></td>
</tr>
</table>
</td>
</form>
</tr>
</table>
You need to check if username
isset: 您需要检查是否设置了
username
:
if(!isset($_SESSION['username'])) {
header("location:login.php");
}
Also, you are calling session_start();
另外,您正在调用
session_start();
twice. 两次。 The second call will however be ignored.
但是,第二个呼叫将被忽略。
Tip : Instead of storing the username and password, you should be storing the user id
in the session. 提示 :您应该在会话中存储用户
id
,而不是存储用户名和密码。
You don't start the session on checking_login.php
. 您不会在
checking_login.php
上启动会话。 Change your code to: 将您的代码更改为:
session_start();
$_SESSION['username'] = $myusername;
$_SESSION['password'] = $mypassword;
You don't need to start the session twice on the protected page. 您无需在受保护的页面上两次启动会话。 Remove the
session_start();
删除
session_start();
above the if
statement. 在
if
语句上方。
In addition... on your protected page, you're checking for a session that doesn't exist! 此外...在受保护的页面上,您正在检查的会话不存在! Change
if(!isset($_SESSION['myusername'])) {
to if(!isset($_SESSION['username'])) {
将
if(!isset($_SESSION['myusername'])) {
更改为if(!isset($_SESSION['username'])) {
The reason your members-only page is still visible and accessible by anyone is, because you have not correctly checked, if there is a user session
set. 仅成员页面仍然对任何人可见并且可以访问的原因是,因为您没有正确检查是否存在
user session
集。
To make your code work, you need to change you conditional statement from: 为了使代码正常工作,您需要将条件语句更改为:
if(!isset($_SESSION['myusername'])) {
header("location:login.php");
}
to: 至:
if(!isset($_SESSION['username'])) {
header("location: login.php");
}
because myusername
is is not the variable you stored into your session. 因为
myusername
不是您存储在会话中的变量。
Quoting your setting of the $_SESSION
: 引用
$_SESSION
设置:
$_SESSION['username'] = $myusername;
$ _SESSION ['username'] = $ myusername;
When you set your $_SESSION
you used username
and not myusername
. 设置
$_SESSION
,使用的是username
而不是myusername
。 Be sure to stick to that when checking if $_SESSION
is set. 在检查
$_SESSION
是否设置时,请务必遵守。
In order for your page to work as you desire you must use the following format: 为了使页面按您的期望工作,必须使用以下格式:
<?php session_start(); ?>
<!DOCTYPE html>
<html>
<head></head>
<body>
<?php
// Check if user session is set. If it is redirect to login.php.
if(!isset($_SESSION['username'])):
header("location: login.php");
// If it is not set show the your login form.
else:
?>
<!--Your HTML code for the form.-->
<?php
endif;
?>
</body>
</html>
In case your login form is in another page, then you can redirect again by changing the else
part as shown: 如果您的登录表单在另一个页面中,则可以通过更改
else
部分来再次重定向,如下所示:
// If it is not set show the your login form.
else:
header("location: loginform.php"); // The name of the file
endif;
If you have a global header.php
file, then in that check if the $_SESSION['username']
is set. 如果您具有全局
header.php
文件,则在该检查中是否设置了$_SESSION['username']
。 If it is, set $logged_in = true
, and if it's not, set $logged_in = false
. 如果是,则设置
$logged_in = true
,否则,请设置$logged_in = false
。 It's what I use for my website. 这就是我在网站上使用的内容。 If you don't use
header.php
, then in the page check for $_SESSION['username']
. 如果不使用
header.php
,则在页面中检查$_SESSION['username']
。 For both, if $looged_in = true
or isset($_SESSION['username'])
, then DON'T redirect. 对于两者,如果
$looged_in = true
或isset($_SESSION['username'])
,则不要重定向。 but if $logged_in = false
or !isset($_SESSION['username'])
then you redirect them. 但是如果
$logged_in = false
或!isset($_SESSION['username'])
则可以重定向它们。 You could also set a $_SESSION['logged_in']
variable. 您还可以设置
$_SESSION['logged_in']
变量。
some code to help. 一些代码来帮助。
header('location: page.php'); // REDIRECT VIA PHP
// IF YOU HAVE header.php
if(isset($_SESSION['username'])) $logged_in = true; // IN herder.php
else $logged_in = false; // IN herder.php
if($logged_in != true) header('location: login.php') // IN USERS ONLY PAGE
// IF YOU DON'T HAVE header.php
// OPTION 1
if(!isset($_SESSION['username'])) header('location: login.php'); // IN USERS ONLY PAGE
// OPTION 2
$_SESSION['logged_in'] = true; // WHEN THE USER HAS LOGGED IN
if($_SESSION['logged_in'] != true) header('location: login.php'); // IN USERS ONLY PAGE
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.