PHP验证的最佳实践...? [英] php authentication best practice...?
问题描述
我有检查对数据库的凭据,然后每个页面包含一个简单的登录页面 auth.php ,用于验证 $ _ SESSION ['记录'] 设置和会话没有过期。
I have a simple login page that checks credentials against database and then every page includes auth.php that verifies $_SESSION['logged'] is set and that session isn't expired.
问题是,每个页面还包含另一个页面 tab.php (就像一个菜单),我也需要限制访问,但包括 auth.php tab.php >使得列入发生两次。如果我不包括 auth.php 在 tab.php ,但是,任何人都可以访问 tab.php 直接绕过认证检查,并可能获取私人信息。
Problem is that every page also includes another page tab.php (something like a menu), which I also need to restrict access to, but including auth.php inside tab.php makes the inclusion occur twice. If I don't include the auth.php in tab.php, though, anyone can access tab.php directly bypassing authentication check and possibly retrieve private information.
任何的最佳做法来解决这种情况呢?
Any best practice to solve this situation?
编辑:
和我忘了问,但你用什么路径,使其相对于站点根目录?由于两个 auth.php 和 tab.php 在文件夹和的index.php ,其中包括 tab.php 是根 - include函数给出了一个错误或者的index.php 或 tab.php 根据我使用路径('./包括/ auth.php 或'./ auth.php) - 如果你知道我的意思。我尝试'/includes/auth.php,但不起作用。
And I forgot to ask, but what path you use to make it relative to site root? As both auth.php and tab.php are in folder and the index.php which includes tab.php is in root - the include function gives an error for either index.php or tab.php according to what path I use ('./includes/auth.php' OR './auth.php') - If you know what I mean. I tried '/includes/auth.php' but that doesn't work.
推荐答案
include_once 和 require_once 绝对会保证你没有相同的文件包括超过一次(同时确保你身份验证)。
include_once and require_once will definitely assure that you don't have the same file included more than once (at the same time make sure you're authenticated).
我会做什么,但是,是添加包含在一个包括文件夹,禁止接入 - 谁的人将在路径手动输入 - 通过htaccess文件。通过这种方式,你可以让你的包含在一个地方(无论你的头包含可能看起来像),并保持你的头文件干净,仍遥不可及。如果你做到这一点你只要做一月在上面的答复中提到,检查如果你的 $ _ SESSION ['记录'] 设置(和任何其他检查你需要)
What I would do, however, is add your includes in a "include" folder and forbid access - to people who would type in the path manually - through an htaccess file. This way you could keep your includes in one place (whatever your header includes might look like) and keep your include files clean and still out of reach. If you were to do this you'd only have to do what Jan. mentioned in the answer above and check if your $_SESSION['logged'] is set (and whatever other checks you need)
这篇关于PHP验证的最佳实践...?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
