这是在我的页面中,它应该检查用户是否登录 http://carbonyzed.co.uk/Websites/Jason/sites/2/test/login_success.php
但任何人都可以评估它,而不仅仅是那些登录的人
<?php
session_start();
if( isset($_SESSION["myusername"]) ){
header("location:main_login.html");
}
?>
我试过了
if(isset($ _ SESSION ["myusername"])){
和
if(isset($ _ SESSION [$ myusername])){
登录代码可能还没有创建会话?
<?php
ob_start();
$host="ClubEvents.db.9606426.hostedresource.com"; // Host name
$username="ClubEventsRead"; // Mysql username
$password="Pa55word!"; // Mysql password
$db_name="ClubEvents"; // Database name
$tbl_name="members"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
ob_end_flush();
?>
将NOT运算符添加!到if语句.另外不要忘记exit()在标题后添加.该location头告诉浏览器重定向,但攻击者可以查看您的网页,只要忽略location头部,从而绕过验证系统监守你的PHP代码将继续执行.
if( !isset($_SESSION["myusername"]) ){
header("location:main_login.html");
exit();
}
此外,您没有调用session_start()您发布的登录代码,因此无法访问会话.
<?php
session_start();
if (!isset($_SESSION['myusername']))
{
header('Location: main_login.html');
}
?>
你需要否定支票.
| 归档时间: |
|
| 查看次数: |
71096 次 |
| 最近记录: |