2. 질의 응답
  3. 내 세션이 로컬 호스트에서 작동하지 않습니다

내 세션이 로컬 호스트에서 작동하지 않습니다

2014-02-23 2 views
-1

내 문제는 내 세션이 로컬 호스트에서 작동하지 않는다는 것입니다.내 세션이 로컬 호스트에서 작동하지 않습니다

localhost를 통해 로그인 할 수 없습니다. 누군가가 나에게

도와주세요 수있는 것은이 세션에 대한 내 코드입니다

<?php 

include('config.php'); 
session_start(); 
if ($_SERVER["REQUEST_METHOD"] == "POST") { 
    $email  = $_POST['email']; 
    $password = $_POST['password']; 
    $salt  = sha1(md5($password)); 
    $password = md5($password . $salt); 
    $sql   = "SELECT email FROM registered_members WHERE email='$email' and password='$password'"; 
    $result  = mysql_query($sql); 
    $row   = mysql_fetch_array($result); 

    $count  = mysql_num_rows($result); 
    $sql1  = "SELECT email,password FROM admin WHERE email='$email' and password='$password'"; 
    $result1  = mysql_query($sql1); 
    $row1  = mysql_fetch_array($result1); 
    $count_admin = mysql_num_rows($result1); 

    if ($count == 1) { 
     session_register("email"); 
     session_register("password"); 
     $_SESSION['login_user'] = $email; 
    } 

    if ($count_admin == 1) { 
     session_register("email"); 
     session_register("password"); 
     $_SESSION['login_admin'] = $email; 
    } 
    if ($count < 1 && $count_admin < 1) 
     echo "Wrong email or Password"; 
    elseif ($count >= 1 && $count_admin < 1) 
     header("location:member.php"); 
    elseif ($count < 1 && $count_admin >= 1) 
     header("location:admincp/admin-panel.php");  
} 

?>

나에게 도움을 주시기 바랍니다

출처

2014-02-23 user3290020

+2

SQL 인젝션 취약점이 있습니다. – SLaks

+1

소금은 전혀 쓸모가 없습니다. – SLaks

+0

간단히 말해서, 보안은 ** 하드 **입니다. 바퀴를 재발 명하지 마십시오. 기존의 입증 된 인증 시스템을 사용해야합니다. – SLaks

답변

0

OOP 기반의 샘플 다음보십시오 :

Session.class.php

<?php 

class Session { 

    const SALT   = 'foo'; 
    const SESSION_NAME = '__DATABASE__'; 
    const PROTOCOL  = 'http'; 
    const HOST   = 'example.com'; 

    const PAGE_LOGIN = 0; 
    const PAGE_MEMBER = 1; 
    const PAGE_ADMIN = 2; 

    private $pdo; 
    private $id; 
    private $admin; 

    public static function connect() { 
     static $self; 
     if ($self === null) { 
      if (isset($_SESSION[self::SESSION_NAME])) { 
       $self = $_SESSION[self::SESSION_NAME]; 
      } else { 
       $self = $_SESSION[self::SESSION_NAME] = new self; 
      } 
     } 
     return $self; 
    } 

    public function __wakeup() { 
     $this->__construct(); 
    } 

    public function isLogined() { 
     return $this->id !== null; 
    } 

    public function isAdmin() { 
     return (bool)$this->admin; 
    } 

    public function getId() { 
     return $this->id; 
    } 

    public function login($email, $password) { 
     $admin_id = $this->adminLogin($email, $password); 
     $member_id = $this->menberLogin($email, $password); 
     if ($admin_id === false and $member_id === false) { 
      throw new RuntimeException('Wrong email or password'); 
     } elseif ($admin_id === false) { 
      $this->id = $member_id; 
      $this->admin = false; 
     } else { 
      $this->id = $admin_id; 
      $this->admin = true; 
     } 
     return $this; 
    } 

    public function autoRedirect($current_page) { 
     if ($this->admin === null and $current_page !== self::PAGE_LOGIN) { 
      self::redirect('/login.php'); 
     } 
     if ($this->admin === false and $current_page !== self::PAGE_MEMBER) { 
      self::redirect('/member.php'); 
     } 
     if ($this->admin === true and $current_page !== self::PAGE_ADMIN) { 
      self::redirect('/admincp/admin-panel.php'); 
     } 
    } 

    private static function redirect($path) { 
     header(sprintf('Location: %s://%s%s', self::PROTOCOL, self::HOST, $path)); 
     exit; 
    } 

    private function __construct() { 
     $this->pdo = new PDO(
      'mysql:dbname=test;host=localhost;charset=utf8', 
      'user', 
      '', 
      array(
       PDO::MYSQL_ATTR_EMULATE_PREPARES => false, 
       PDO::MYSQL_ATTR_USE_BUFFERED_QUERY => true, 
       PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION, 
       PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, 
      ) 
     ); 
    } 

    private function adminLogin($email, $password) { 
     $sql = 'SELECT id FROM admin WHERE email = ? AND password = ? LIMIT 1'; 
     $stmt = $this->pdo->prepare($sql); 
     $stmt->execute(array($email, sha1(self::SALT . $password))); 
     return $stmt->fetchColumn(); 
    } 

    private function memberLogin($email, $password) { 
     $sql = 'SELECT id FROM registered_members WHERE email = ? AND password = ? LIMIT 1'; 
     $stmt = $this->pdo->prepare($sql); 
     $stmt->execute(array($email, sha1(self::SALT . $password))); 
     return $stmt->fetchColumn(); 
    } 

}

login.php

<?php 

require 'Session.class.php'; 

try { 

    session_start(); 
    DB::connect()->autoRedirect(Session::PAGE_LOGIN); 
    if (isset($_POST['email'], $_POST['password'])) { 
     DB::connect()->login($_POST['email'], $_POST['password']]); 
    } 
    DB::connect()->autoRedirect(Session::PAGE_LOGIN); 

} catch (Exception $e) { 

    $msg = $e->getMessage(); 

} 

header('Content-Type: text/html; charset=utf-8'); 

?> 
<!DOCTYPE html> 
<body> 
<?php if (isset($msg)): ?> 
<p><?=$msg?></p> 
<?php endif; ?> 
<form method="post" action=""> 
Email: <input type="text" name="email" value=""><br> 
Password: <input type="password" name="password" value=""><br> 
<input type="submit"> 
</form> 
</body> 
</html>

출처

2014-02-23 21:17:00 mpyw

관련 문제

 관련 문제