![](/img/trans.png)
[英]How to make my simple php/html login secure using Sessions? i.e. Unable to 'back' into application when logged out
[英]Using Sessions (or otherwise) what can I do to make my page remember the variables when I go back to it?
在此页面上,当volleyLogin.php
被用户点击时,一切正常-他们使用用户名登录,然后可以继续到AddNew.php
。 当用户在AddNew.php
上单击“创建”时,它将自动返回到volleyLogin.php
。 AddNew.php
的详细信息保存到mysql数据库,但是回到volleyLogin.php
我们看到:
http://screencast.com/t/esgXUJlMa
这是一行:
$sql = "SELECT * FROM user WHERE username = '$username'";
我怎样才能解决这个问题 ?
这是我的代码:
volleyLogin.php
<?php
require('dbConnect.php');
//if the session is already active, like we are coming back to this page from AddNew.php
if (session_status() == PHP_SESSION_ACTIVE) {
//session_start();
$username = $_SESSION['username'];
$user_id = $_SESSION['user_id'];
}
//if user is logging in
if(isset($_POST['username'])){
//helps stop sql injection
$username = mysqli_real_escape_string($con,$_POST['username']);
}
//select everything from user
$sql = "SELECT * FROM user WHERE username = '$username'";
//get the result of the above
$result = mysqli_query($con,$sql);
//get every other record in the same row
$row = mysqli_fetch_assoc($result);
//make the user_id record in that row a variable
$user_id = $row["user_id"];
$username = $row["username"];
echo "user id is " . $user_id . "<br>";
echo "user name is " . $username . "<br>";
session_start();
$_SESSION['user_id']= $user_id;
$_SESSION['username'] = $username;
$sql2 = "SELECT * FROM review WHERE user_id = '$user_id'";
$result2 = mysqli_query($con,$sql2);
//if username isn't in the db
if (mysqli_num_rows($result)==0) {
echo "Failed, sorry";
}
//if username is in the db
if (mysqli_num_rows($result) > 0) {
//if username has reviews in the db
while($rows = mysqli_fetch_assoc($result2)) {
$review_id=$rows['review_id'];
$_SESSION['review'] = $review_id;
echo "review id is " . $review_id . "<br>";
echo "<br>";
echo "Category: " . $rows['cat_name'] . "<br>";
echo "Name: " . $rows['name'] . "<br>";
echo "Phone: " . $rows['phone'] . "<br>";
//html stuff comes next
?>
<!-- show the + button, click for more details -->
<html>
<body>
<form action="showreview.php?id=<?=$review_id?>" method="post">
<input type="submit" value="+" name="show_review"><br>
</form>
<p></p>
</body>
</html>
<?php
}
?>
<html>
<body>
<form action="AddNew.php" method="post">
<input type="submit" value="Add New" name="username"><br>
</form>
</body>
</html>
<?php
}
$con->close();
?>
AddNew.php
<?php require('dbConnect.php');
//use the variables we created in volleyLogin.php
session_start();
$username = $_SESSION['username'];
$user_id = $_SESSION['user_id'];
echo "user name is " . $username . "<br>";
echo "user id is " . $user_id . "<br>";
if (isset($_POST['create'])) {
$category = ($_POST['category']);
$name = ($_POST['name']);
$phonenumber = ($_POST['phonenumber']);
$address = ($_POST['address']);
$comment = ($_POST['comment']);
//in the review table, create a new id, put in the cat_id it comes under, the user id...
$sql2 = "INSERT INTO review VALUES(NULL,'666','{$category}','$user_id', '{$name}','{$phonenumber}','{$address}', '{$comment}')";
if ($con->query($sql2) === TRUE) {
header('Location:volleyLogin.php');
} else {
echo "Error: " . $sql2 . "<br>" . $con->error;
}
}
$con->close();
?>
<!doctype html>
<html>
<body>
<h2>Create new Contact</h2>
<form method="post" action="" name="frmAdd">
<p><input type="text" name = "category" id = "category" placeholder = "category"></p>
<p><input type="text" name = "name" id = "name" placeholder = "name"></p>
<p><input type="text" name = "phonenumber" id = "phonenumber" placeholder = "phone number"></p>
<p><input type="text" name = "address" id = "address" placeholder = "address"></p>
<p><input type="text" name = "comment" id = "comment" placeholder = "comment"></p>
<h2>Visible to :</h2>
<input type="radio" name="allmycontacts" value="All my Contacts">All my Contacts
<input type="radio" name="selectwho" value="Select Who">Select Who
<input type="radio" name="public" value="Public">Public
<input type="radio" name="justme" value="Just me">Just me
<p><input type="submit" name = "create" id = "create" value = "Create new Contact"></p>
<a href="exit.php">Exit</a>
</form>
</body>
</html>
谢谢你的帮助。
嗯,很奇怪。
在我的volleyLogin.php中,我有:
session_start();
$_SESSION['user_id']= $user_id;
$_SESSION['username'] = $username;
我只是简单地使用session_start();
打开后,从那里放到最上面
<?php
标记,现在可以正常工作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.