0

希望你能帮助我,(在某些情况下再次!)

我有一个使用 mysql 数据库连接的 php 登录系统,首先用户填写登录表单:

Code: admin/index.php:

<link rel="stylesheet" href="/styles/style-new.css" type="text/css" />
<script type="text/javascript">
function formfocus() {
  document.getElementById('myusername').focus();
}
window.onload = formfocus;
</script>

<table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<form action="/?module=admin&n=checklogin" method="post" enctype="multipart/form-data" name="form1" id="form1">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<td colspan="3"><strong>Administrator Login </strong></td>
</tr>
<tr>
<td width="78">Username</td>
<td width="6">:</td>
<td width="294"><input type="text" name="myusername" id="myusername" tabindex="1"></td>
</tr>
<tr>
<td>Password</td>
<td>:</td>
<td><input name="mypassword" type="password" id="mypassword" tabindex="2"></td>
</tr>
<tr>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td> <button type="submit" name="Submit" tabindex="3">Login</button>
 <img src="../images/ajax-loader.gif" width="16" height="16" style="display: none"/>
 <script>
    $("button").click(function () {
    $("img").show("slow");
    });
  </script>
 </td>
</tr>
</table>
</td>
</form>
</tr>
</table>
<p align="center">Clicked on the wrong link? <a href="javascript: history.go(-1)">Click Here</a></p>
</div>

然后通过 checklogin.php 将其发送以进行验证:

Code: checklogin.php:

<?php 
sleep(3)
?>
<link rel="stylesheet" href="../styles/style-new.css" type="text/css" />

<?php
session_start();
$host="localhost"; // Host name 
$username="david_bpd"; // Mysql username 
$password="documents123456"; // Mysql password 
$db_name="david_bpd"; // Database name 
$tbl_name="members"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die(mysql_error()); 
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form 
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql) or die(mysql_error());

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row


$cdata = mysql_query("SELECT * FROM cuser");
$cdata = mysql_num_rows($cdata);
echo $cdata;


if($count==1){
//If a user is not already logged on
if($cdata == 1){
echo "<meta http-equiv='refresh' content='0;url=/?module=admin&n=Login_unavailable'>";
}
else {
//Register username
echo $myusername;
$_SESSION['myusername'] = $myusername;

var_dump($_SESSION['myusername']);

$_SESSION['myusername'] == $myusername;


$sql2="INSERT INTO cuser(myusername)VALUES('$myusername')";
$result2 = mysql_query($sql2) or die(mysql_error());

echo '<meta http-equiv="refresh" content="0;url=/?module=admin&n=Login_success">';

}
}
elseif($count==0) {
echo '<meta http-equiv="refresh" content="0;url=/?module=admin&n=Login_Unsuccessful">';
}
?>

<?php
mysql_close();
?>

然后使用它重新注册admin/Login_name.php:它检查mysql数据库中的最后一个访问名称并再次注册它

<?php
/* Mysql connection */
$tbl_name="cuser"; // Table name

$query = "SELECT MAX(`id`) AS 'max' FROM $tbl_name";
$result = mysql_query($query) or die(mysql_error());
$row = mysql_fetch_assoc($result);
$max = $row['max'];
$query1 = "SELECT * FROM $tbl_name WHERE id= '$max'";
$result1 = mysql_query($query1) or die(mysql_error());
$row1 = mysql_fetch_row($result1);

//check username
$myusername=$row1[1];

//register username
$_SESSION['myusername'] = $myusername;

?>

我遇到的问题是我必须使用以下方法限制对管理区域的访问:

Code:

<?php
session_start ();
    if ($_REQUEST ['module'] == 'admin' && $_REQUEST ['n'] != 'index' && $_REQUEST ['n'] != 'Login_Unsuccessful' && $_REQUEST ['n'] != 'checklogin' && $_REQUEST ['n'] != 'Logout' && $_REQUEST ['n'] != 'Login_name') {

        include ("admin/Login_name.php");
        // var_dump ( $myusername );
        //echo $myusername;
        //echo "<br />";
        //echo "<br />";
        if (isset ( $_SESSION ['myusername'] )) {
            //var_dump($myusername);
            //echo "SESSION IS SET";
            if ($_SESSION ['myusername'] == $myusername) {
                //echo "User should be allowed to be on page";
            } else {
                //echo"User not allowed";
                echo '<meta http-equiv="refresh" content="0;url=/?module=admin&n=index">';
            }

        } else {
            //var_dump(($_SESSION['myusername']));
            //echo "SESSION IS NOT SET(username not registered)";

            echo '<meta http-equiv="refresh" content="0;url=/?module=admin&n=index">';
        }
    }
    ?>

我发现的问题是,如果管理员已经登录,则未登录的人仍然可以访问受限区域,但我不希望这种情况发生。

我认为这可能与源代码最后一点中的 if 语句有关,但我不知道。

有任何想法吗?

谢谢

PS对不起,长帖子是完全描述的唯一方法!

4

2 回答 2

1

我对此有另一个想法。

无需进行双重查询来检查用户和活动用户,您可以使用表用户表活动用户之间的单个连接查询来完成

表用户包含字段

  • 用户身份
  • 用户名
  • 密码
  • ETC...

表 active_users 包含字段,

  • 用户身份
  • 登录时间
  • session_id
  • ETC...

然后你可以做选择加入查询来检查用户是否有来自表用户的有效信息,并且用户是否已经在表 active_users 中签入。

然后对于受限区域,您可以对照用户会话进行检查。如果用户尝试访问任何页面/区域,请重新检查基于用户会话分配的用户权限。

希望这会有所帮助。

于 2011-06-19T19:08:06.250 回答
1

我认为通过做这样的事情来检查用户登录会更容易。

session_start();
if(isset($_SESSION['user']) && $_SESSION['user']['admin']){
  // let user to admin page
}else{
  // deny access
}

因此,在您处理表单时,只需将$_SESSION['user']and 设置$_SESSION['user']['admin']为 true;

这又是一个简单的登录方法。

于 2011-06-19T19:11:06.240 回答