这是我的页面,它应该检查用户是否已登录http://carbonyzed.co.uk/Websites/Jason/sites/2/test/login_success.php
但任何人都可以评估它,而不仅仅是那些登录的人
<?php
session_start();
if( isset($_SESSION["myusername"]) ){
header("location:main_login.html");
}
?>
我试过了
if( isset($_SESSION["myusername"]) ){
和
if( isset($_SESSION[$myusername]) ){
登录代码 也许未创建会话?
<?php
ob_start();
$host="ClubEvents.db.9606426.hostedresource.com"; // Host name
$username="ClubEventsRead"; // Mysql username
$password="Pa55word!"; // Mysql password
$db_name="ClubEvents"; // Database name
$tbl_name="members"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
ob_end_flush();
?>
NOT 运算符!
添加到 if 语句中。另外,不要忘记在标题后添加exit()
。location
标头告诉浏览器重定向,但攻击者可以查看您的页面并简单地忽略location
标头,从而绕过您的身份验证系统,因为您的 PHP 代码将继续执行。
if( !isset($_SESSION["myusername"]) ){
header("location:main_login.html");
exit();
}
此外,您没有在发布的登录代码中调用session_start()
,因此无法访问会话。
<?php
session_start();
if (!isset($_SESSION['myusername']))
{
header('Location: main_login.html');
}
?>
您需要否定支票。
您还可以使用:
<?php
session_start();
if (empty($_SESSION['myusername'])) {
header('Location: main_login.html');
}
?>