首先,我想开始说我对PHP没有任何了解,所以我希望能够得到所有帮助。 所以我有一个网站托管在godaddy上传我的客户的文件。在朋友的帮助下,我制作了一个带有用户名和密码的简单登录系统。问题是,尽管没有输入用户名和密码就无法访问网站,但可以通过在浏览器中直接输入完整链接来访问.jpg等文件。我希望它是通过用户网页访问文件的唯一方式。另外我希望每个用户只能访问他们自己的文件,而不能访问其他文件。所以这里是我的代码,如果有任何额外的变化需要避免黑客入侵,我将非常感谢输入。正被用于输入用户名和密码的形式拒绝http访问目录,但允许内部服务器访问
index.php文件代码:
<form name="form1" method="post" action="checklogin.php">
<div class="lefts">
<p>Login:</p>
<p>Password:</p>
</div>
<div>
<input name="myusername" type="text" id="myusername" />
<input name="mypassword" type="password" id="mypassword" />
</div>
<div><input type="image" name="Submit" id="submit" value="Login" src="images/submitOff.png" /></div>
</form>
checklogin.php:(如果输入正确的用户名和密码,它进入用户名,如果网页不是去了错误的用户名或密码的网页
<?php
ob_start();
session_start();
$host="hostname"; // Host name
$username="username"; // Mysql username
$password="password"; // Mysql password
$db_name="dbnamey"; // Database name
$tbl_name="tablename"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT username FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);
//returns false if no results returned
$row = mysql_fetch_row($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($row){
// Register $myusername, $mypassword and redirect to file
$_SESSION["myusername"] = $myusername;
$_SESSION["mypassword"] = $mypassword;
$myPage = $myusername.".php";
$_SESSION["myPage"] = $myPage;
header("location:".$myPage);
}
else {
header("location:index2.php");
}
ob_end_flush();
?>
username1.php:(webapge用户包含文件)
<?
session_start();
if(
//!session_is_registered(myusername)
!isset($_SESSION["myusername"]) ||
$_SESSION["myPage"] != basename($_SERVER['REQUEST_URI'])
){
header("location:index.php");
}
?>
<html>
//content that consist of links to the files
<a href="ready/username1/file.png">Png 1</a>
</html>
感谢您的答复。我对PHP一无所知,所以这就是为什么它如此糟糕。你认为你可以重写它,使它成为如何? – 2011-02-02 02:04:37