drnmslpz42661 2014-01-08 15:23
浏览 20
已采纳

如果num_rows大于零,则为PHP标头

Something weird is happening with the following code. Instead of completely redirecting. It loads the page of the redirect into the login page and mixes things up.

Q1: How do i make a complete redirect. - session start is the first line - There's nothing being output before header. - As for spaces, I'm not sure what will count as a space in the below script.

Q2: How do i preg_replace a string to only allow both lower cases and uppercases and 0 - 9 numbers and again how do i preg replace emaail to allow the '@' charecter and alphanumerics.

Q3: What's the best way to check if the user trying to login matches exactly the registered user?

Q4: What danger can a hacker do with my session variables?

PHP CODE

<?php
session_start();
require_once 'db_conx.php';
$email = preg_replace ('#[^A-Z, 0-9 ]#i', '', $_POST['email']);
$pwd = preg_replace ('#[^A-Z, 0-9 ]#i', '', $_POST['pwd']);
if ($uname == '' || $pwd == ''){
    echo '<span style="color:#F00">Please fill in all login details.</span>'; 
    } else {
$Result = mysql_query("SELECT * FROM users WHERE uemail = '$uname' && pwd = '$pwd'")
 or die (mysql_error()); 
while($row = mysql_fetch_array($Result)){
$_SESSION['Sname'] = $row['firstname'];
$_SESSION['Slname'] = $row['lastname'];
$_SESSION['SUid'] = $row['uid'];
$_SESSION['Semail'] = $row['uemail'];
$_SESSION['Suid'] = $row['uid'];
$_SESSION['Szip'] = $row['zip'];
}
if (mysql_num_rows($Result) > 0){
    header ('Location: ../user.php');
} else {
    echo '<span style="color:#F00">Your account details do not match, please check your details and try again or try to recover your account if you forgot your password</span>';
    }
}
?>

Thanks.

  • 写回答

1条回答 默认 最新

  • doufu6130 2014-01-08 15:53
    关注

    Q1 instead of using header( 'Location...)

    you can use 

     echo '<meta http-equiv="refresh" content="0; URL= http://something.com">';

    EDIT i believe you can also use the following. the die should allow for the redirect, but in my experience it doesn't always get along with jquery.

     header('Location: http://something.com');
 die();

    This is especially useful if you are using event.preventDefault(); in jquery on the same page, which will almost always cause header location redirects to be ignored. this method is also appropriate when you are using get requests to include a php page in your index file, causing a url like http://somesite.com/index.php?page=home

    EDIT the above information was wrong it wasn't working for me because php had already sent the headers. i'm an idiot.

    instead of this meta refresh, you could do this which should produce the desired result.

    echo '<script type="text/javascript">window.location = "yoururlhere"</script>';die;

    Q2

     $step1 = preg_replace('#[^A-Z, 0-9 ]#i', $_POST["variable"]);
 $step2 = strtolower($step1);
 echo $step2;

    Q3

    This is a tough question to answer, but basically you want to hash there password, then check if it matches the password in the db. heres a brief pseudocode.

     $username = $db->real_escape_string(strip_tags($_POST["username"]));
 $password = hash('sha512', $salt.$_POST["Password"});
 $db->query("SELECT * FROM `usertable` WHERE `Username`='$username' AND `Password`='$password' AND Username IS NOT NULL AND Username != '' LIMIT 1");
 $result = $db->get();
 if(!$result){
  //the query returned a null result, so the username or password was incorrect.
 }else{
  //set user session and log them in.
 }

    Q4 I'm no expert, but it all depends on the architecture of your application and how you are setting sessions and cookies.in my opinion look into using formkeys and preventing xss, rfi, sql injection and lfi, then worry about session variables. the experience gained tackling the aforementioned problems will give you confidence and a broader understanding when attempting to secure your user sessions.

    further information can be obtained from php.net/manual/en/session.security.php and stackoverflow.com/questions/328/php-session-security

    thanks to the suggestions of DanFromGermany who improved on this answer.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 使用ue5插件narrative时如何切换关卡也保存叙事任务记录
  • ¥20 软件测试决策法疑问求解答
  • ¥15 win11 23H2删除推荐的项目,支持注册表等
  • ¥15 matlab 用yalmip搭建模型,cplex求解,线性化处理的方法
  • ¥15 qt6.6.3 基于百度云的语音识别 不会改
  • ¥15 关于#目标检测#的问题:大概就是类似后台自动检测某下架商品的库存,在他监测到该商品上架并且可以购买的瞬间点击立即购买下单
  • ¥15 神经网络怎么把隐含层变量融合到损失函数中?
  • ¥15 lingo18勾选global solver求解使用的算法
  • ¥15 全部备份安卓app数据包括密码,可以复制到另一手机上运行
  • ¥20 测距传感器数据手册i2c