在数据库操作中使用会话 [英] using sessions in database operations
问题描述
我有用户会话供用户登录.问题是任何人都可以直接打开服务器端链接.
例如:http://mylink.com/foldername/json/json_example.php
如果有人浏览上面的链接,它会直接打开.所以我想通过使用会话来确保数据库操作(一些存储通过 JSON)和我的服务器端 PHP 文件的安全.我需要在执行数据库操作之前检查用户会话和在服务器端打开每个页面之前.
我用于用户会话的以下代码:
<头><身体><section class="容器"><div class="登录"><form method="post" action="<?php echo $_SERVER['REQUEST_URI']; ?>"><p><input type="text" name="username" placeholder="Username" id="username"></p><p><input type="password" name="password" placeholder="Password" id="password"></p><p class="submit"><input type="submit" name="login" value="Login"></p></表单><?phpif(isset($_POST['login'])) {require_once('db/connection.php');$用户名=$_POST['用户名'];$password=md5(mysql_real_escape_string($_POST['password']));$query=mysql_query("select * from tablename where username='$username' and password='$password'");$row=mysql_num_rows($query);如果($行== 1){session_start();$a=mysql_fetch_array($query);$_SESSION['user']=$a['username'];$_SESSION['pref']=$a['preference'];header("位置:home.php");} 别的 {echo "错误的用户名/密码";}}?></节>
请帮助解决问题.
谢谢.
用于阻止访问包含在其他人中且不应直接访问的文件:将其添加到直接访问的页面中,例如 index.php:
//这将防止将包含的脚本作为独立脚本加载.定义('安全',真);这适用于您不想被任何人直接访问的脚本
//安全检查!defined('SECURE') and exit("你不应该在这里.<br>返回<a href='index.php'>home</a>页面.");要阻止未登录用户访问任何类型的文件,请添加以下内容:
if (!isset($_SESSION['user']))exit("你不应该在这里.<br>回到<a href='index.php'>home</a>页面.");I have user sessions for the user to login. The problem is that anyone can open the server side links directly.
For example : http://mylink.com/foldername/json/json_example.php
If anyone browse the above link it opens directly.So I want to make secure to the database operations(some stores through JSON) and my server side PHP files by using sessions.I need to check user session before performing database operations and before opening of every page in server side.
The below code i used for User Sessions:
<?php
ob_start();
session_start();
if(isset($_SESSION['user'])){
header('Location: home.php');}
?>
<html>
<head>
<body>
<section class="container">
<div class="login">
<form method="post" action="<?php echo $_SERVER['REQUEST_URI']; ?>">
<p><input type="text" name="username" placeholder="Username" id="username"></p>
<p><input type="password" name="password" placeholder="Password" id="password"></p>
<p class="submit"><input type="submit" name="login" value="Login"></p>
</form>
</div>
<?php
if(isset($_POST['login'])) {
require_once('db/connection.php');
$username=$_POST['username'];
$password=md5(mysql_real_escape_string($_POST['password']));
$query=mysql_query("select * from tablename where username='$username' and password='$password'");
$row=mysql_num_rows($query);
if ($row == 1){
session_start();
$a=mysql_fetch_array($query);
$_SESSION['user']=$a['username'];
$_SESSION['pref']=$a['preference'];
header("location: home.php");
} else {
echo "wrong username/password";
}
}
?>
</section>
Please help in resolving the issue.
Thank you.
For blocking the access to the files that are included in others and should not be accessed directly: add this to the pages that are directly accessed, like index.php:
//This will prevent loading the included scripts as stand alone scritps.
define('SECURE', true);
and this to the scripts you don't want to be accessed by anyone directly
//Security check
!defined('SECURE') and exit("You should not be here.<br>Go back to the <a href='index.php'>home</a> page.");
For blocking access to any kind of file to the users that are not logged in, add this:
if (!isset($_SESSION['user']))
exit("You should not be here.<br>Go back to the <a href='index.php'>home</a> page.");
这篇关于在数据库操作中使用会话的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
