【发布时间】:2021-05-23 15:35:26
【问题描述】:
我正在尝试从数据库中获取 $_SESSION['id'],我可以从会话中获取用户名和其他信息,但无法获取 id。我知道我错过了一些非常简单的东西。我在每个页面上都有一个配置文件,页面顶部有 session_start()。
所以问题是我没有从数据库接收会话 id,这是 mysql 查询。
$sql = ("SELECT persons.name, images.file_name, images.user_id FROM persons INNER JOIN images ON
persons.id = images.user_id WHERE persons.id =" . $_SESSION['id']."" );
$result = $db->query($sql);
//echo $_SESSION['id'];
var_dump($sql);
print_r($result);
$result = $db->query($sql) or die($db->error);
// Include the database configuration file
//include_once 'config/config.php';
// Get images from the database
//$query = $db->query("SELECT file_name FROM images INNER JOIN persons ON persons.id=images.user_id ORDER BY id DESC ");
?>
<?php
if($result->num_rows > 0) {
while($row = $result->fetch_assoc()) {
// $id = $row['id'];
$imageURL = 'uploads/'.$row["file_name"];
//echo "<br>username:" . $_SESSION['id'];
?>
<img src="<?php echo $imageURL; ?>" alt="" width="250" height="250" />
<?php
}
} else { ?>
<p>No image(s) found...</p>
<?php } ?>
登录表单:
<form action="" method="post" enctype="multipart/form-data">
<?php login(); ?>
<input type="text" name="username">
<input type="text" name="password">
<input type="submit" name="login">
</form>
会话数据:
if(!empty($_SESSION['id'])) {
echo "welcome " . $_SESSION['id'];
} else {
//header("Location: index.php");
}
这是我的function.php,我知道它根本不安全,不能在本地机器上运行或仅在本地机器上运行。
<?php
// if(!empty($_SESSION['id'])) {
// echo "welcome " . $_SESSION['id'];
// }
// Include the database configuration file
require_once "config.php";
function uploads() {
global $db;
if(isset($_POST['submit'])){
$user_id = $_POST['user_id'];
$_SESSION['persons.id'] = $id;
// File upload configuration
$targetDir = "uploads/";
$allowTypes = array('jpg','png','jpeg','gif');
$statusMsg = $errorMsg = $insertValuesSQL = $errorUpload =
$errorUploadType = '';
$fileNames = array_filter($_FILES['files']['name']);
if(!empty($fileNames)){
foreach($_FILES['files']['name'] as $key=>$val){
// File upload path
$fileName = basename($_FILES['files']['name'][$key]);
$targetFilePath = $targetDir . $fileName;
// Check whether file type is valid
$fileType = pathinfo($targetFilePath, PATHINFO_EXTENSION);
if(in_array($fileType, $allowTypes)){
// Upload file to server
if(move_uploaded_file($_FILES["files"]["tmp_name"][$key],
$targetFilePath)){
// Image db insert sql
$insertValuesSQL .= "('".$user_id."', '".$fileName."',
NOW()),";
}else{
$errorUpload .= $_FILES['files']['name'][$key].' | ';
}
}else{
$errorUploadType .= $_FILES['files']['name'][$key].' | ';
}
}
if(!empty($insertValuesSQL)){
$insertValuesSQL = trim($insertValuesSQL, ',');
// Insert image file name into database
$insert = $db->query("INSERT INTO images (user_id, file_name,
uploaded_on) VALUES $insertValuesSQL ");
if($insert){
$errorUpload = !empty($errorUpload)?'Upload Error:
'.trim($errorUpload, ' | '):'';
$errorUploadType = !empty($errorUploadType)?'File Type Error:
'.trim($errorUploadType, ' | '):'';
$errorMsg =
!empty($errorUpload)?'<br/>'.$errorUpload.'<br/>'.$errorUploadType:'<br/>'
.$errorUploadType;
$statusMsg = "Files are uploaded successfully.".$errorMsg;
}else{
$statusMsg = "Sorry, there was an error uploading your file.";
}
}
}else{
$statusMsg = 'Please select a file to upload.';
}
// Display status message
echo $statusMsg;
}
}
function register() {
global $db;
try {
if (isset($_POST['join'])) {
$name = $_POST['name'];
$surname = $_POST['surname'];
$email = $_POST['username'];
$password = $_POST['password'];
$insert = $db->query("INSERT INTO persons (name, surname, username,
password) VALUES ('$name', '$surname', '$email', '$password')");
if($insert){
$errorUpload = !empty($errorUpload)?'Upload Error:
'.trim($errorUpload, ' | '):'';
$errorUploadType = !empty($errorUploadType)?'File Type Error:
'.trim($errorUploadType, ' | '):'';
$errorMsg =
!empty($errorUpload)?'<br/>'.$errorUpload.'<br/>'.$errorUploadType:'<br/>'
.$errorUploadType;
$statusMsg = "Files are uploaded successfully.".$errorMsg;
}else{
$statusMsg = "Sorry, there was an error inserting you.";
}
}else{
$statusMsg = 'Please select a file to upload.';
}
//Display status message
echo $statusMsg;
echo "all good";
} catch (Expetion $e) {
echo "something has gone wrong.";
}
}
//login
function login() {
global $db;
try {
if(isset($_POST['login'])) {
$id = $_SESSION['id'] = $id;
$username = $_POST['username'];
$password = $_POST['password'];
$name = $_POST['name'];
$sql = ("SELECT id,name, username, password FROM persons where username =
'$username' AND password = '$password' ");
$result = $db->query($sql);
// $rows = mysqli_num_rows($result);
if($result->num_rows > 0) {
//echo $_SESSION['id'];
//echo "this " . $username . " " . $password;
echo "all good";
$_SESSION['username'] = $username;
$_SESSION['name'] = $name;
$_SESSION['id'] = $id;
echo " hello there: " . $username;
header("Location: page.php");
} else {
echo "wrong user or pass";
}
}
} catch (Expection $e) {
echo "Sorry try agian.";
}
}
function getId() {
global $db;
try {
if(isset($_POST['login'])) {
$id = $_SESSION['id'] = $id;
$sql = ("SELECT id FROM persons WHERE id = " . $id . "" );
$result = $db->query($sql);
while($row = $result->fetch_assoc()) {
$id = $row['id'];
echo $id;
}
}
} catch (Expection $e) {
echo "Could not get user.";
}
}
【问题讨论】:
-
嗨,warwick,这可能无法解决您当前的问题,但为了将来参考,您可能希望在 SQL 代码中使用类似 prepared statements 的内容,以防止可能出现的潜在安全问题连接 SQL 查询字符串时发生!
-
另外,您的代码中是否有一个地方可以定义您的
$_SESSION['id']变量? -
您好 summea,感谢您提供我目前正在测试的信息,并准备好进行编码。因此,当我正确编码时,我将使用准备语句。是的,我已经在 functions.php 页面上声明了
$_SESSION['id'] = $id -
如果您以后有机会,是否可以在上面的问题帖子中包含您的
functions.php代码? (只要它不包含密码或密钥/令牌等敏感信息。)我很好奇代码的样子! -
嗨,Dharman,我知道 sqlinjection,但就像我之前所说的,这只是我目前正在玩的东西,不是活的,永远不会活的。当我让它上线时,它将通过
PDO prepared statements完成。