0

我的网站中有一个“登录”页面,由“登录行为”脚本处理,该脚本在成功时重定向到“发布”页面。“发布”页面具有发布各种类型内容的链接,例如“发布音频”。'post' 页面工作正常,因为它显示用户名,如果经过身份验证,但从那时起它就是灾难:如果经过身份验证的用户单击'post-audio',它会以某种方式将他注销并将他重定向到登录页面。但是,过了一段时间,(或者如果我在“后音频”脚本中进行并撤消更改)它又可以正常工作了。它快把我逼疯了。你能帮我吗?

登录-act.php:

<? ob_start();//Start buffer output ?>

<html>

<head>
<link rel="stylesheet" type="text/css" href="mystyle-a.css">
<title>BQuotes CMS: User Generated Content: Login Notification</title>
</head>

<body class='center'>

<?php
session_start();
if(isset($_POST["captcha"])&&$_POST["captcha"]!=""&&$_SESSION["code"]==$_POST["captcha"])
{
// echo "<font color='green'>Correct Code Entered";

//Do req





$host="host"; // Host name 
$username="user"; // Mysql username 
$password="password"; // Mysql password 
$db_name="db"; // Database name 
$tbl_name="table"; // Table name 
$tbl_name2="table2"; // Table name 2

// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// Get values from form 
$myusername=mysql_real_escape_string($_POST['myusername']);
$mypassword=mysql_real_escape_string($_POST['mypassword']);

// Validate the login
$sql2="SELECT * FROM $tbl_name2 WHERE username='$myusername' and password='$mypassword'";
$result2=mysql_query($sql2);

$count=mysql_num_rows($result2);

// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1)
             {
session_start();             
$_SESSION['myusername'] = $myusername;
header ("Location: mybq-post.php");

             }

else {
echo "<div class='center2'><font color='red'>Invalid Login Details. Not Logged In.</div>";
echo "<br>";
echo "<div class='center2'><font color='red'>Please go back and try again.</div>";
echo "<br>";

echo "<div class='center2'><a href='mybq-login.php'>Back</a></div>";
}


}

else {
echo "<div class='center2'><font color='red'>Wrong Captcha. Not Logged In.</div>";
echo "<br>";
echo "<div class='center2'><font color='red'>Please go back and try again.</div>";
echo "<br>";

echo "<div class='center2'><a href='mybq-login.php'>Back</a></div>";
}
?>


<?php 
// close connection 
//mysql_close();
?>


 </body> </html>
<? ob_flush();//Flush buffer output ?>

post.php:

<?php

session_start();

if (!(isset($_SESSION['myusername']) && $_SESSION['myusername'] != '')) {

header ("Location: mybq-login.php");

}

if ($_SESSION['timeout'] + 10 * 60 < time()) {
// session timed out
session_destroy();
//header("Location: mybq-logout.php");
  }

$_SESSION['timeout'] = time();


echo "<body class='left'><header><a href='mybq-logout.php'>Logout</a></header></body>" . $_SESSION['myusername'];

?>

<html>

<head>
<link rel="stylesheet" type="text/css" href="mystyle-a.css">
<title>BQuotes CMS: User Generated Content: Post Index</title>
</head>

<body class='center'>

<div class='center2'>
<b>MyBQuotes Post</b><br>
<a href='mybq-post-txt.php'>Post Text</a> <a href='mybq-post-img.php'>Post Image</a><br>
<a href='mybq-post-audio.php'>Post Audio</a> <a href='mybq-post-video.php'>Post Video<br>
<a href='index.php'>CMS Index</a> <a href='mybq-index.php'>MyBQuotes Main</a><br>
<font size="0.5px;" color="red"><b>Disclaimer: </b>Poster solely responsible for posted content!
</div>

 </body> </html>

post-audio.php:

<?php

session_start();

if (!(isset($_SESSION['myusername']) && $_SESSION['myusername'] != '')) {

header ("Location: mybq-login.php");

}

if ($_SESSION['timeout'] + 10 * 60 < time()) {
// session timed out
session_destroy();
//header("Location: mybq-logout.php");
  }

$_SESSION['timeout'] = time();  


echo "<body class='left'><header><a href='mybq-logout.php'>Logout</a></header></body>" . $_SESSION['myusername'];
?>

<html>

<head>
<link rel="stylesheet" type="text/css" href="mystyle-a.css">
<title>BQuotes CMS: User Generated Content: Post Audio</title>
</head>

<div class='center2'>
<body class='center'>
<b>MyBQuotes Post Audio:</b><br>
<font size=2>Allowed File Type: MP3<br />
Max File Size: 8MB</p>
<form name=mybq-post-audio action="mybq-post-audio-act.php" method="post" enctype="multipart/form-data">

<!--
Username:<br />
<input type="text" size="25" name="myusername" /><br />
Password:<br />
<input type="password" size="25" name="mypassword" /><br />
-->

Audio:<br />
<input type="file" name="audio" id="myaudio" /><br />
Tag:<br />
<input type="text" size="25" name="mytag" /><br />

Enter Image Text:<br />
<input name="captcha" type="text">
<img src="captcha.php" /><br>

<input type="submit" value="Post" /><br />
</form>
<a href="forg-pass.htm"><div class='tagtext'>Forgot Login details?</a>
<br />
<a href="index.php">CMS Index</a> <a href="mybq-post.php">MyBQuotes Post</a>

</div>
 </body> </html>

任何帮助表示赞赏。(我知道我的一些代码已被弃用......我正在处理它:))

4

1 回答 1

1

在您的登录表单 ( login-act.php) 中,您没有设置,$_SESSION['timeout']所以当您访问该post.php页面时,检查$_SESSION['timeout'] + 10 * 60 < time()始终为真,并且session_destroy()会破坏您的会话。

解决方案是在脚本中添加设置超时的行login-act.php,即:

session_start();             
$_SESSION['myusername'] = $myusername;
$_SESSION['timeout'] = time();

同样总是exit在任何重定向之后,如果您不退出,尽管浏览器会重定向导致服务器告诉他这样,脚本将继续在服务器中执行,让您的代码开放,以便利用漏洞和难以调试的奇怪行为。

于 2013-08-31T13:06:43.553 回答