0

我是 PHP 新手,我正在尝试使用会员登录(没有会员面板)创建一个网站。我有一个简单的网页,其中一些页面只有在您登录后才能查看。

您能告诉我如何给 _SESSION 起一个临时名称吗?

这是登录脚本:

if (isset($_POST['formsubmitted'])) {
// Initialize a session:
session_start();
$error = array();//this aaray will store all error messages


if (empty($_POST['e-mail'])) {//if the email supplied is empty 
    $error[] = 'You forgot to enter  your Email ';
} else {


    if (preg_match("/^([a-zA-Z0-9])+([a-zA-Z0-9\._-])*@([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]+)+$/", $_POST['e-mail'])) {

        $Email = $_POST['e-mail'];
    } else {
         $error[] = 'Your EMail Address is invalid  ';
    }


}


if (empty($_POST['Password'])) {
    $error[] = 'Please Enter Your Password ';
} else {
    $Password = $_POST['Password'];
}


   if (empty($error))//if the array is empty , it means no error found
{ 



    $query_check_credentials = "SELECT * FROM members WHERE (Email='$Email' AND password='$Password' AND Aprobat='DA') AND Activation IS NULL";



    $result_check_credentials = mysqli_query($dbc, $query_check_credentials);
    if(!$result_check_credentials){//If the Query Failed 
        echo 'Query Failed ';
    }

    if (@mysqli_num_rows($result_check_credentials) == 1)//if Query is successful 
    { // A match was made.




        $_SESSION = mysqli_fetch_array($result_check_credentials, MYSQLI_ASSOC);//Assign the result of this query to SESSION Global Variable
        $_SESSION['start'] = time(); // taking now logged in time
        $_SESSION['expire'] = $_SESSION['start'] + (30 * 60) ;
        header("Location: about.php");


    }else
    { 

        $msg_error= 'Either Your Account is inactive or Email address /Password is  Incorrect';
    }

}  else {



echo '<div class="errormsgbox"> <ol>';
    foreach ($error as $key => $values) {

        echo '  <li>'.$values.'</li>';



    }
    echo '</ol></div>';

}


if(isset($msg_error)){

    echo '<div class="warning">'.$msg_error.' </div>';
}
/// var_dump($error);
mysqli_close($dbc);

}

这是只有登录用户才能查看的页面的脚本。

ob_start();
session_start();
if(!isset($_SESSION['Username'])){
     header("Location: login.php");
session_destroy();
}

这是注销脚本:

session_start();
unset($_SESSION["username"]);  // where $_SESSION["nome"] is your own variable. if you do not have one use only this as follow **session_unset();**
session_destroy();
header("Location: index.php");

如果有人能帮助我改进这个脚本,我真的很感激。我想要的另一件事是我是否正确设置了 _SESSION 过期时间。

m trying to use Prepared statement and I don不知道如何使用它。

这是带有 Prepared 语句的代码,我收到此错误:致命错误:在第 38 行的 /home/siteseby/public_html/login.php 中的非对象上调用成员函数 bind_param()

if (isset($_POST['formsubmitted'])) {
// Initialize a session:
session_start();
$error = array();//this aaray will store all error messages


if (empty($_POST['e-mail'])) {//if the email supplied is empty 
    $error[] = 'You forgot to enter  your Email ';
} else {


    if (preg_match("/^([a-zA-Z0-9])+([a-zA-Z0-9\._-])*@([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]+)+$/", $_POST['e-mail'])) {

        $Email = $_POST['e-mail'];
    } else {
         $error[] = 'Your EMail Address is invalid  ';
    }


}


if (empty($_POST['Password'])) {
    $error[] = 'Please Enter Your Password ';
} else {
    $Password = $_POST['Password'];
}


   if (empty($error))//if the array is empty , it means no error found
{ 

$qstmt = "SELECT * FROM users WHERE (Email = ? AND password = ? AND Aprobat='DA') AND Activation IS NULL";
$stmt = $dbc->prepare($qstmt);
$stmt->bind_param($Email, $Password);
$query_check_credentials = $stmt->execute();
$result_check_credentials = $query_check_credentials;
    if(!$result_check_credentials){//If the QUery Failed 
        echo 'Query Failed ';
    }

    if (@mysqli_num_rows($result_check_credentials) == 1)//if Query is successfull 
    { // A match was made.




        $_SESSION = mysqli_fetch_array($result_check_credentials, MYSQLI_ASSOC);//Assign the result of this query to SESSION Global Variable
        $_SESSION['start'] = time(); // taking now logged in time
        $_SESSION['expire'] = $_SESSION['start'] + (2 * 60) ;
        $_SESSION['email'] = $Email;
        header("Location: about.php");
        exit;


    }else
    { 

        $msg_error= 'Either Your Account is inactive or Email address /Password is Incorrect';
    }

}  else {



echo '<div class="errormsgbox"> <ol>';
    foreach ($error as $key => $values) {

        echo '  <li>'.$values.'</li>';



    }
    echo '</ol></div>';

}


if(isset($msg_error)){

    echo '<div class="warning">'.$msg_error.' </div>';
}
/// var_dump($error);
mysqli_close($dbc);

} // End of the main Submit conditional.
4

2 回答 2

0

首先,您必须session_start()在代码的开头直接调用,因为与会话创建相关的 cookie 是在 HTTP 标头中发送的。接下来,在您的登录脚本结束时,设置一个会话:

$_SESSION['email'] = $email;

现在已经设置了会话,您应该在用户需要登录才能查看的每个页面中检查它(记住session_start()在输出任何内容之前先开始):

session_start();
if (isset($_SESSION['email'] {

//whatever should happen with a logged-in user
}

请记住,如果之前已经设置过自定义会话,您只能使用它,我这么说是因为我看到您在if(!isset($_SESSION['Username']))没有先设置“用户名”会话的情况下通过。

于 2013-06-17T23:52:52.503 回答
0

一切似乎都很好......(至少对于新手来说)

至于您如何处理会话,我建议您在 stackoverflow 中检查与会话劫持/固定相关的 Q/A。或者更好的是,使用 SSL 加密您的数据。话虽这么说,我认为你最好使用准备好的语句和命名参数来处理你的 mysql 查询,而不是笨拙的方式(Email='$Email' AND password='$Password同样,你会在这里很容易地找到教程。

最后但并非最不重要的一点是,良好的代码格式,避免错误抑制,例如if (@mysqli_在标头重定向后不使用退出,即仅使用header("Location: login.php");通常被认为是坏主意。

于 2013-06-17T23:04:27.357 回答