问题描述:

I have three questions to my code.

  1. how can I display only the user's name who is logged profile.php file? Because my current code display's every username no matter who logs in.

  2. How can I restrict the profile.php page so it can only be seen if a user is logged in?

  3. How can create a logout page that works?

Below is my code in order by each file config.php //connect to data base, login.php, profile.php, and logout.php:

//------------------------config.php---------------

<?php

mysql_connect("localhost","root","");

mysql_select_db("login2");

?>

//------------------------login.php---------------

<?php

session_start();

require('config.php');

if(isset($_POST['submit'])){

$uname = mysql_escape_string($_POST['uname']);

$pass = mysql_escape_string($_POST['pass']);

$salt = '';

$pass = md5 ($pass . $salt);

$sql = mysql_query ("SELECT * FROM `users` WHERE `uname` = '$uname' AND `pass`= '$pass' ");

if(mysql_num_rows($sql) > 0){

header('location: profile.php');

exit();

}else{

echo "Wrong password or username";

}

}else{

$form = <<<EOT

<form action="login.php" method="POST">

Username : <br />

<input type="text" name="uname" />

<br />

<br />

Password : <br />

<input type="password" name="pass" />

<br />

<br />

<input type="submit" name="submit" value="log in" />

</form>

EOT;

echo $form;

}

?>

//------------------------profile.php---------------

<?php

require('config.php');

?>

<html>

<head>

</head>

<body>

<?php

$sql = mysql_query("SELECT * FROM users ");

while($row = mysql_fetch_array($sql)){

$name = $row['name'];

$lname = $row['lname'];

$uname = $row['uname'];

}

?>

<p>Welcome <b><?php echo $name; ?></b></p>

<a href="logout.php">logout</a>

</body>

</html>

//------------------------logout.php---------------

<?php

require('config.php');

session_destroy();

header('location: login.php');

exit();

?>

网友答案:

The answer to all your questions: Use $_SESSIONs in PHP. I forgot to mention, but you will need to have session_start() at the top of every page on which you plan on using $_SESSION.

// User Login

if(mysql_num_rows($sql) > 0){
    $_SESSION['user_name'] = $_POST['uname'];
    header('location: profile.php');    
    exit();
}else{
    echo "Wrong password or username";
}


// Profile (Check if user is logged in)
if(isset($_SESSION['user_name']) && !empty($_SESSION['user_name'])){
  // Show page
}

How can I create a logout page that works?

You're going to need to start reading, I recommend a great new book called Google.

网友答案:

To display the username, save the username in a session value once he's authenticated

$sql = mysql_query ("SELECT * FROM `users` WHERE `uname` = '$uname' AND `pass`= '$pass' ");
if(mysql_num_rows($sql) > 0){
    $_SESSION['username'] = $uname;
    header('location: profile.php');    
    exit();
}else{
    echo "Wrong password or username";
}

To restrict access to the profile.php page, add on top and right after calling session_start()

if(!isset($_SESSION['username'])) // not logged in

To make a logout page, you'll need to destroy the session
logout.php

session_start();
if(isset($_SESSION['username'])) session_destroy();
else // not logged in 
网友答案:

try this

   if(mysql_num_rows($sql) > 0){
    session_start();
    $_SESSION['userName']=$_POST['uname'];
        header('location: profile.php');    
        exit();
    }else{
        echo "Wrong password or username";
    }

profile.php

<?php
session_start();
if (!$_SESSION['userName']){
header('location: login.php'); 
}else{
echo $_SESSION['userName'];
}
?>
<html>
<head>
</head>
<body>
<?php
$sql = mysql_query("SELECT * FROM users ");
                    while($row = mysql_fetch_array($sql)){
                    $name = $row['name'];       
                    $lname = $row['lname'];
                    $uname = $row['uname'];
                                }                       
?>
<p>Welcome <b><?php echo $name; ?></b></p>
<a href="logout.php">logout</a>
</body>
</html>

logout.php

unset($_SESSION['userName']);
网友答案:

The answer to your question is simple because currently whatever you do on login.php has no bearing in your profile.php.

In login.php, you check their username and password, and if correct, you send them to profile.php but then you echo out everything from the db in a new query, by doing this on profile.php:
"SELECT * FROM users "

This has no data or reference to your checking their credentials on login.php.

What you should do is when you check their login on login.php, set a session with their correct logged in details, like so:

    //------------------------login.php---------------

    <?php
    session_start();
    require('config.php');
    if(isset($_POST['submit'])){
        $uname = mysql_escape_string($_POST['uname']);
        $pass = mysql_escape_string($_POST['pass']);    
        $salt = '';
        $pass = md5 ($pass . $salt);    
    $sql = mysql_query ("SELECT * FROM `users` WHERE `uname` = '$uname' AND `pass`= '$pass' ");
    if(mysql_num_rows($sql) > 0){

    // ADDITIONAL CODE
    while($row = mysql_fetch_array($sql)){
       $_SESSION['logged_in']['name'] = $row['name'];       
       $_SESSION['logged_in']['lname'] = $row['lname'];
       $_SESSION['logged_in']['uname'] = $row['uname'];
    }
    // END ADDITIONAL CODE
        header('location: profile.php');    
        exit();
    }else{
        echo "Wrong password or username";
    }


    ?>
    //------------------------profile.php---------------
    <?php
    session_start();
    require('config.php');
    ?>
    <html>
    <head>
    </head>
    <body>
    <?php

    // ADDITIONAL CODE
    if ( !isset($_SESSION['logged_in']) )
      {
        header('location: login.php');    
        exit();
      }
    // END ADDITIONAL CODE

// Then use the session data to echo their name:
    <p>Welcome <b><?php echo $_SESSION['logged_in']['name']; ?></b></p>

    <a href="logout.php">logout</a>
    </body>
    </html>

    //------------------------logout.php---------------
    <?php
    // ADDITIONAL CODE
    session_start();
    unset($_SESSION['logged_in']);
    // END ADDITIONAL CODE
    session_destroy(); //if you want..
    header('location: login.php');
    exit();

This is a simple example, however, and NOTE: On profile.php, my additional code simply checks if a logged_in session is set, which isn't highly secure.

Depending on what data is shown on profile.php, you could/should check their logins again. Perhaps check in the DB their session data, or IP, or both or more.

Important Notes:

The code you are using is fairly unsecure, and uses depreciated functions.
mysql_query() is now depreciated, and you should use PDO or Mysqli, with prepared statements.

If you insist on still using this function, at least change from mysql_escape_string() and instead use mysql_real_escape_string().

Additionally, md5() is no longer considered a secure method, see here:
http://php.net/manual/en/faq.passwords.php#faq.passwords.fasthash

And as for salting, using your own (and currently is NULL) is not recommended. Try using:
http://php.net/manual/en/function.crypt.php

网友答案:

Try this its working :

//------------------------config.php---------------
<?php
mysql_connect("localhost","root","");
mysql_select_db("login2");
?>

//------------------------login.php---------------

<?php
session_start();
require('config.php');
if(isset($_POST['submit'])){
    $uname = mysql_escape_string($_POST['uname']);
    $pass = mysql_escape_string($_POST['pass']);    
    $salt = '';
    $pass = md5 ($pass . $salt);    
$sql = mysql_query ("SELECT * FROM `users` WHERE `uname` = '$uname' AND `pass`= '$pass' ");
if(mysql_num_rows($sql) > 0){
    header("location: profile.php?username=$uname&pass=$pass");    
    exit();
}else{
    echo "Wrong password or username";
}

}else{
?>
<form action="login.php" method="POST">
Username : <br />
<input type="text" name="uname" />
<br />
<br />
Password : <br />
<input type="password" name="pass" />
<br />
<br />
<input type="submit" name="submit" value="log in" />
</form>
<?php
}
?>
//------------------------profile.php---------------
<?php
require('config.php');

$user = $_REQUEST['username'];
$passwd = $_REQUEST['pass']
?>
<html>
<head>
</head>
<body>
<?php
$sql = mysql_query("SELECT * FROM users where `uname` = '$user' AND `pass`= '$passwd' ");
                    do{
                    $uname = $row['uname'];
                    $_SESSION['uname'] = $uname;
                    $username = $_SESSION['uname'];
                                }while($row = mysql_fetch_array($sql));                       
?>
<p>Welcome <b><?php echo $name; ?></b></p>
<a href="logout.php">logout</a>
</body>
</html>
//------------------------logout.php---------------
<?php
require('config.php');
session_destroy();
header('location: login.php');
exit();
?>
相关阅读:
Top