6

无法启动和运行我的会话。在过去的几个小时里,我一直在查看我的代码,但我看不到它有什么问题。我遇到的问题是,每次我输入用户名和密码时,它都会将我重定向到登录页面,以便在它应该显示securepage.php时再次输入信息。

这是我的代码:

loginproc.php 页面- 此页面逐步执行 if 语句并直接进入 else

<?php

// Inialize session
session_start();

// Include database connection settings
include('../../model/database.php');

// Retrieve username and password from database according to user's input
$login = mysql_query("SELECT * FROM user WHERE (username = '" . mysql_real_escape_string($_POST['username']) . "') and (password = '" . mysql_real_escape_string($_POST['password']) . "')");

// Check username and password match
if (mysql_num_rows($login) == 1) {
// Set username session variable
$_SESSION['username'] = $_POST['username'];
// Jump to secured page
header('Location: securedpage.php');
}
else {
// Jump to login page
header('Location: index.php');
}

?>

securepage.php 页面

<?php

// Inialize session
session_start();

// Check, if username session is NOT set then this page will jump to login page
if (!isset($_SESSION['username'])) {
header('Location: index.php');
}

?>
<html>

<head>
<title>Secured Page</title>
</head>

<body>

<p>This is secured page with session: <b><?php echo $_SESSION['username']; ?></b>
<br>You can put your restricted information here.</p>
<p><a href="logout.php">Logout</a></p>

</body>

</html>

database.php 页面

<?php
$dsn = 'mysql:host=localhost;dbname=sports_db';
$username = '';
$password = '';
$options = array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION);

try {
    $db = new PDO($dsn, $username, $password, $options);
} catch (PDOException $e) {
    $error_message = $e->getMessage();
    include 'errors/db_error_connect.php';
    exit;
}

function display_db_error($error_message) {
    global $app_path;
    include 'errors/db_error.php';
    exit;
}
?>
4

3 回答 3

8

您不能混合使用 PDO 和 mysql .. 您正在创建查询PDO并使用mysql_* 尝试将代码更改为

<?php

// Inialize session
session_start();

// Include database connection settings
include('../../model/database.php');

// Retrieve username and password from database according to user's input
$stmt = $db->prepare("SELECT * FROM user WHERE (`username` = :username) and (`password` = :password)");

$result = $stmt->execute(array(':username'=>$_POST['username'],':password'=>$_POST['password']));
$num_rows = $stmt->rowCount();
// Check username and password match
if ( $num_rows > 0) {
// Set username session variable
$_SESSION['username'] = $_POST['username'];
// Jump to secured page
header('Location: securedpage.php');
}
else {
// Jump to login page
header('Location: index.php');
}

?>

reference

于 2013-06-03T05:33:27.313 回答
0

问题大概出在这里:

if (mysql_num_rows($login) == 1) {

如果要检查整数 1,请使用三重方程。不过,最有可能的是登录/通过失败。

和这个:

$_SESSION['username'] = $_POST['username'];

是不好的做法,即使你得到一个有效的回应。

于 2013-06-03T04:30:55.177 回答
0

我有一个建议给你:

1)不要将用户给定的数据直接存储到您的会话变量中。

2)首先检查用户凭证是否存在于您的表中,获取相应的行,然后将获取的数据存储在您的会话变量中。

于 2013-06-03T04:39:22.523 回答