Fatal编程技术网
  • php/
  • Php 如何在会话中显示用户ID?

Php 如何在会话中显示用户ID?

php mysql session

Php 如何在会话中显示用户ID?,php,mysql,session,sessionid,Php,Mysql,Session,Sessionid,我想在一个页面中获取用户名和用户ID。关于这一点,我创建了两个php页面。另外,我的数据库由3列组成:userid、username、password。login.php页面是 <?php session_start(); //@$userid = $_GET['userid']; @$username = $_POST['username']; @$password = $_POST['pass']; if(@$_POST['Submit']){ if($username&&

我想在一个页面中获取用户名和用户ID。关于这一点,我创建了两个php页面。另外,我的数据库由3列组成:userid、username、password。login.php页面是

<?php 
session_start();
//@$userid = $_GET['userid'];
@$username = $_POST['username'];
@$password = $_POST['pass'];

if(@$_POST['Submit']){
if($username&&$password)
{
$connect = mysql_connect("localhost","*****","") or die("Cannot Connect");
mysql_select_db("project") or die("Cannot find the database");

$query = mysql_query("SELECT * FROM users WHERE username='$username'");
//$query = mysql_query("SELECT * FROM users WHERE userid='$userid' and username='$username'");
$numrows = mysql_num_rows($query);
if($numrows!=0)
{
    while ($row = mysql_fetch_assoc($query))
    //while ($row = mysql_fetch_array($query))
    {
        $dbuserid = $row['userid'];
        $dbusername = $row['username'];
        $dbpassword = $row['password'];
    }
    if($username==$dbusername&&$password==$dbpassword)
    {
        echo "You are login!!!!! Continue now with the survey <a href='mainpage.php'>here</a>";
        $_SESSION['username']=$username;
        $_SESSION['userid']=$userid;
    }
    else
    {
        echo "<b>Incorrect Password!!!!</b>";
    }
}
else
    //die("That user does not exist");
    echo "<b>That user does not exist</b>";
}
else
echo "<b>You must enter a username and a password</b>";
}
?>
<!--<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">-->
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!--<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />-->
<title>Login Page</title>
<style type="text/css"> 
h2 {letter-spacing: 10px; font-size: .2in; background-color: #33CC00; color: #000000; text-transform:uppercase; width:260px}
span {color: #FF00CC}
legend {font-variant: small-caps; font-weight: bold}
fieldset {width: 260px; height: 100px; font-family: "Times New Roman", Times, serif; background-color: #CCCCCC; color: #000000}
label {display:block;}
.placeButtons {position: relative; left: 0px; width: 70px; margin: 5px; 0px;}
</style>
</head>

<body background="images/good.jpg">

<h2>Login Page</h2>
<form name="loginform" method='POST'>

<fieldset>
<legend>Form</legend>
    <label>Username: <input type="text" name="username"/><span>*</span></label><br/>
    <label>Password: <input type="password" name="pass"/><span>*</span></label>
    <input class="placeButtons" type="reset" value='Reset'/>
    <input class="placeButtons" type="submit" name="Submit" value='Login'/>
    <a href='registration.php'>Register</a>
</fieldset><br>
<a href='firstpage.php'><-- Go Back</a>
</form>
</body>
</html>

我很快注意到了一件事。这可能就是问题所在。
$\u会话['userid']
正在从未设置的
$userid
获取值。同时,使用
@
来消除错误也不是一种好的做法。使用
isset
检查变量是否已设置并继续


$_SESSION['userid'] = $userid; //where are you getting $userid from?


这应该是


 $_SESSION['userid'] = $dbuserid;


也不用像这样的语句


if ($_SESSION['username'])


首先检查变量是否设置为这样


if ( isset($_SESSION['username']) ){
 //now continue your work
}



当您在共享网络主机上时,请确保使用ini_集(“会话保存路径”、“新建目录”)或功能会话保存路径。来自不同网站的同一目录中的会话容易发生会话窃取/窥探/修改

我检查了PHP源代码PHP没有跟踪哪个会话id是由Web站点(主机)生成的,这就是为什么如果攻击者在同一个Web主机上拥有帐户,则此攻击会起作用

因此,千万不要过分信任会话阵列,因为它是由服务器生成的,所以您认为它是安全的

这不是如果你不采取对策
 3张表还是3列?

if ( isset($_SESSION['username']) ){
 //now continue your work
}