我在一个有登录表单的网站上工作。用户可以输入信息,如果有误,网站会发出警报。但是,问题是您可以通过更改地址栏中的名称登录后轻松进入该页面。
无需登录即可轻松进入该页面,所以这是不好的。你能帮忙吗?
验证.php:
<?php
$name =$_POST['user'];
$pass =$_POST['password'];
//Test code
//echo $pass;
//End Test Code
//Connection Code
session_start();
$con = mysqli_connect('localhost', 'root', '');
if ($con->connect_error) {
die("Connection failed: " . $con->connect_error);
}
mysqli_select_db($con, 'userregistration');
// Connection End
//Query Code
$s = "select * from usertable where name = '$name' and password = '$pass'";
//test
//echo $s;
$result = mysqli_query($con, $s);
$num = mysqli_num_rows($result);
if($num == 1){
echo "Hello " . $name;
}
else{
echo "<script>";
echo "alert('Incorrect Username or Password');";
echo "window.location.replace('login.html');";
echo "</script>";
}
?>
<!--html code-->
捐赠.php
<center><h1>Donate Here!</h1></center>
最佳答案
您必须在 session 中设置某种标记,以标记您的用户已通过身份验证(已登录)。您可以将当前用户的 user_id 存储在 $_SESSION['current_user_id']
中。
另请注意,您的查询是 sql 注入(inject)的良好目标,因此不要忘记通过 mysqli_real_escape_string
验证.php:
//...
$s = "select * from usertable where name = '"
.mysqli_real_escape_string($con, $name).
"' and password = '"
.mysqli_real_escape_string($con, $pass)
."'";
$result = mysqli_query($con, $s);
if ($row = mysqli_fetch_row($result))
{
// row fecthed, user found
$user_id = $row['user_id']; // Let expect that usertable has user_id column
$_SESSION['current_user_id'] = $user_id;
}
else
{
echo "<script>";
echo "alert('Incorrect Username or Password');";
echo "window.location.replace('login.html');";
echo "</script>";
exit();
}
//...
在您所有的页面上,在最开始放置代码:
some_page.php:
if (!isset($_SESSION['current_user_id'])) { exit('Your session expiried!') }
//... do some stuff
要注销您的用户,您可以取消设置 $_SESSION['current_user_id']
注销.php:
unset($_SESSION['current_user_id']);
关于php - 如果用户使用 php 登录,如何仅使页面可访问,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/55042200/