1. 首页
  2. 问答
  3. 保护PHP网页访问

保护PHP网页访问

2015-09-15 140 views
0

我有一个用php和mysql编写的登录表单代码(和一个数据库打印代码),由六部分组成:dbmanager.php,login.php,index.php,login_process.php,home.php和user.php。保护PHP网页访问

登录过程正常,当有人输入有效的用户名和密码时,该用户被重定向到home.php。而且,如果有人输入了无效的用户名或密码,该用户将被重定向到login_process.php,表明它是无效的用户名或密码,这很好。

问题是,如果任何人直接进入home.php,那么这个人是正确的身份验证,而无需输入任何用户名或密码。

你可以请我们指导我为了确保home.php只为数据库中的用户?

在此先感谢!我非常感谢你的帮助!

我的数据库由四列组成:用户名,密码,姓氏和名字。

这是我的代码:

dbmanager.php

<?php 
class DBManager{ 

    function getConnection(){ 

    $services = getenv("VCAP_SERVICES"); 
    $services_json = json_decode($services,true); 
    $mysql_config = $services_json["mysql-5.5"][0]["credentials"]; 

    $db = $mysql_config["name"]; 
    $host = $mysql_config["host"]; 
    $port = $mysql_config["port"]; 
    $username = $mysql_config["user"]; 
    $password = $mysql_config["password"]; 

    $conn = mysql_connect($host . ':' . $port, $username, $password); 

    if(! $conn){ 
     die('Could not connect: ' . mysql_error()); 
    } 

    mysql_select_db($db); 
    return $conn; 
    } 
} 
?>

的index.php

<?php 
    require 'user.php'; 
?> 
<html> 
    <head> 
    <title>DB Query PHP Page</title> 
    </head> 
    <body> 
    <p>SAMPLE PHP SITE</p> 
    <p>Contents of table User:</p> 
    <table border='1'> 
     <tr> 
     <td>Username</td> 
     <td>Password</td> 
     <td>Last Name</td> 
     <td>First Name</td> 
     </tr> 
    <?php 
     //refer to user.php for the implementation of the class User 
     $user_list = (new User())->selectAll(); 

     foreach($user_list as $user) { 
     echo '<tr>'; 
     echo '<td>'.$user->username.'</td>'; 
     echo '<td>'.$user->password.'</td>'; 
     echo '<td>'.$user->lastname.'</td>'; 
     echo '<td>'.$user->firstname.'</td>'; 
     echo '</tr>'; 
     } 
    ?> 
    </table> 

    <br><br> 
    Click <a href='login.php'>[here]</a> to test the login page.<br> 

    </body> 
</html>

的login.php

<html> 
    <head> 
    <title>Login Page</title> 
    </head> 
    <body> 
    <p>SAMPLE PHP SITE</p> 
    <p>Enter Username and Password to Login:</p> 
    <form action='login_process.php' method='post'> 
     <table border='1'> 
     <tr> 
      <td>Username:</td> 
      <td><input type='text' name='username'></td> 
     </tr> 
     <tr> 
      <td>Password:</td> 
      <td><input type='password' name='password'></td> 
     </tr> 
     <tr> 
      <td>&nbsp</td> 
      <td><input type='submit' value='Login'></td> 
     </tr> 
     </table> 
    </form> 
    </body> 
</html>

login_process.php

<?php 
    require 'user.php'; 
?> 
<?php 
    $user = new User(); 
    $user->username = $_REQUEST['username']; 
    $user->password = $_REQUEST['password']; 

    $found = $user->checkLogin(); 

    if ($found){//redirect to home page 
    session_start(); 
    $_SESSION['current_user']=$user; 

    header("Location: home.php"); 
    exit; 
    }else{//invalid username and password 
    echo "Invalid username/password. Click <a href='login.php'>[here]</a> to login again.<br>"; 
    echo "<br>"; 
    echo "You may also click <a href='index.php'>[here]</a> to see the list of usernames and passwords.<br>"; 
    } 
?>

home.php

<?php 
    require 'user.php'; 
?> 

    <html> 
     <head> 
     <title>Home Page</title> 
     </head> 
     <body> 
     <p>SAMPLE PHP SITE</p> 
     <p> 
      You have successfully logged in 

      <?php 
      session_start(); 

      $user = $_SESSION['current_user']; 

      echo $user->firstname.' '.$user->lastname.'.'; 
      ?> 
     </p> 

     <p>This is your home page.</p> 
     </body> 
    </html>

user.php的

<?php 
    require 'dbmanager.php'; 
?> 
<?php 
class User{ 

    var $username; 
    var $password; 
    var $lastname; 
    var $firstname; 

    function checkLogin(){ 
    $dbm = new DBManager(); 
    $conn = $dbm->getConnection(); 

    $username = mysql_real_escape_string($this->username); 
    $password = mysql_real_escape_string($this->password); 

    $sql_stmt = "SELECT * FROM User WHERE username = '".$username."' AND password = '".$password."'"; 


    //place in retval result of the SQL query 
    $retval = mysql_query($sql_stmt, $conn); 

    //check if SQL query is successful 
    if(! $retval){ 
     mysql_close($conn); 
     die('Could not read User table: ' . mysql_error()); 
    } 

    $found = false; 
    //get first retrieved row from retval 
    if ($dbfield = mysql_fetch_assoc($retval)) { 
     $found = true; 

     //initialize fields of this object with the columns retrieved from the query 
     $this->username = $dbfield['username']; 
     $this->password = $dbfield['password']; 
     $this->lastname = $dbfield['lastname']; 
     $this->firstname = $dbfield['firstname']; 
    } 

    return $found; 
    } 

    function selectAll(){ 
    $dbm = new DBManager(); 
    $conn = $dbm->getConnection(); 

    $sql_stmt = "SELECT * FROM User"; 

    //place in retval result of the SQL query 
    $retval = mysql_query($sql_stmt, $conn); 

    //check if SQL query is successful 
    if(! $retval){ 
     mysql_close($conn); 
     die('Could not read User table: ' . mysql_error()); 
    } 

    //create an empty array that will eventually contain the list of users 
    $user_list=array(); 


    //iterate each row in retval 
    while ($dbfield = mysql_fetch_assoc($retval)) { 
     //instantiate a user object 
     $user = new User();  

     //initialize fields of user object with the columns retrieved from the query 
     $user->username = $dbfield['username']; 
     $user->password = $dbfield['password']; 
     $user->lastname = $dbfield['lastname']; 
     $user->firstname = $dbfield['firstname']; 

     //add the user object in the array 
     $user_list[] = $user; 
    } 


    mysql_close($conn); 

    //return the array 
    return $user_list; 
    } 
} 
?>

来源

2015-09-15 Randall Núñez Aguilar

+0

使用'$ _SESSION'阵列的状态,以测试用户是否已经正确地或者没有登录。 – Scuzzy

回答

3

哟每一个单你的“安全”页面需要用户认证/验证的东西。

这可能是因为简单的东西:

whatever.php:

<?php 
include("usercheck.php"); 
?> 

page stuff here...

usercheck.php:

<?php 
session_start(); 
if (!$_SESSION['logged_in']) { 
    header('Location: login.php'); 
    exit(); 
}

来源

2015-09-15 21:39:35

+0

你好,谢谢你的回答! 我刚刚用你提供给我的代码创建了一个usercheck.php文件,然后将它包含到home.php文件中,但并不适用于我:-S我不知道如果我错过了处理以及你向我解释了什么!请纠正我,并感谢您的时间! –

+0

您是否已将'!$ _ SESSION ['logged_in']'更改为'!isset($ _ SESSION ['current_user'])'以适应您的代码?这只是一个例子,不要盲目复制。 – Capsule

+0

我改变了current_user的logged_in之前,但没有添加!isset,但现在它工作!朋友,谢谢!!! –

-1

基本上,你在你的本地目录下创建一个lib目录结构和lib中的所有文件都不会公开,但您仍然可以从您的php应用程序中访问它们。

这里是Cloud Foundry中的PHP应用程序的文件结构的例子:

alexs-mbp:ads-php-test adasilva$ ls -l 
total 72 
[email protected] 1 adasilva staff 490 Sep 14 23:00 README.txt 
[email protected] 1 adasilva staff 990 Sep 14 19:09 checklogin.php 
[email protected] 1 adasilva staff  2 Sep 14 23:00 composer.json 
[email protected] 3 adasilva staff 102 Sep 14 19:01 images 
drwxr-xr-x 3 adasilva staff 102 Sep 14 19:14 includes 
[email protected] 1 adasilva staff 709 Sep 14 23:00 index.php 
drwxr-xr-x 2 adasilva staff 68 Sep 15 17:41 lib 
[email protected] 1 adasilva staff 261 Sep 14 19:09 loginsuccess.php 
[email protected] 1 adasilva staff 88 Sep 14 19:11 logout.php 
[email protected] 1 adasilva staff 809 Sep 14 19:08 main_login.php 
[email protected] 1 adasilva staff 193 Sep 14 23:00 manifest.yml 
[email protected] 1 adasilva staff 1157 Sep 14 23:00 style.css 
alexs-mbp:ads-php-test adasilva$

lib目录下的任何内容不会被公开曝光,让你可以把你的home.php文件存在。

看到更多细节在这里:

http://docs.cloudfoundry.org/buildpacks/php/gsg-php-usage.html

来源

2015-09-15 21:47:06

+0

感谢您的回答! 我只是这样做,但在login_process.php我重定向到home.php我改变了头(“位置:home.php”); for header(“Location:lib/home.php”);但不能正常工作,你能告诉我我做错了什么? if($ found){//重定向到主页 session_start(); $ _SESSION ['current_user'] = $ user; header(“Location:lib/home.php”); 退出; –

相关问题

 相关问题