不安全的PHP登录表单练习(返回没有错误,无法弄清楚。)
I have a Login script (it's a basic demonstration exercise of PHP for the web class i'm in) that is insecure, but intentionally so. Advice regarding exploits will go unnoticed, as this is for testing purposes only.
I have stumped the teacher. The code I have written has been bugfixed a number of times, yet my code still does not run correctly. I double-checked the functions I was using with the version of PHP on my webhost (I'm running 5.4) to make sure things were correctly written.
We can't figure out what's wrong. Maybe someone else can?
Here's the three files:
login.php
<html>
<body>
<form action="process.php" method="post">
Username: <input type="text" name="name"><br>
Password: <input type="text" name="pass"><br>
<input type="submit">
<?php
if (isset($_SESSION ["errorwelcome"])){
echo ($_SESSION ["errorwelcome"]);
unset($_SESSION ["errorwelcome"]);
}
if (isset($_SESSION ["errorunpass"])){
echo ($_SESSION ["errorunpass"]);
unset($_SESSION ["errorunpass"]);
}
?>
</form>
</body>
</html>
process.php
<?php
if ($_POST ["name"] == "shmailey"){
if ($_POST ["pass"] == "password"){
$_SESSION["login"] = 1;
header('Location: welcome.php');
exit;
}
}
if ($_POST ["name"] != "shmailey"){
$_SESSION ["errorunpass"] = "Uh oh, we didn't recognize those credentials. Incorrect Username and/or Password.";
header('Location: login.php');
exit;
}
?>
welcome.php
<?php
if (isset($_SESSION ["login"])){
unset ($_SESSION["login"]);
}
else{
$_SESSION["errorwelcome"] = "You need to login first.";
unset ($_SESSION["login"]);
header('Location: login.php');
exit;
}
?>
<html>
<body>
<?php
echo "Login Success";
echo "Username: shmailey";
echo "Password: password";
?>
</body>
</html>
You don't start your sessions. You must start sessions using session_start(); before using any session variables. Try the following code:
Login.php:
<html>
<body>
<form action="process.php" method="post">
Username: <input type="text" name="name"><br>
Password: <input type="text" name="pass"><br>
<input type="submit">
<?php
if (isset($_SESSION ["errorwelcome"])){
echo ($_SESSION ["errorwelcome"]);
unset($_SESSION ["errorwelcome"]);
}
if (isset($_SESSION ["errorunpass"])){
echo ($_SESSION ["errorunpass"]);
unset($_SESSION ["errorunpass"]);
}
?>
</form>
</body>
</html>
process.php:
<?php
session_start();
if ($_POST ["name"] == "shmailey"){
if ($_POST ["pass"] == "password"){
$_SESSION["login"] = 1;
header('Location: welcome.php');
exit;
}
}
if ($_POST ["name"] != "shmailey"){
$_SESSION ["errorunpass"] = "Uh oh, we didn't recognize those credentials. Incorrect Username and/or Password.";
header('Location: login.php');
exit;
}
?>
welcome.php:
<?php
session_start();
if (isset($_SESSION ["login"])){
unset ($_SESSION["login"]);
}
else{
$_SESSION["errorwelcome"] = "You need to login first.";
unset ($_SESSION["login"]);
header('Location: login.php');
exit;
}
?>
<html>
<body>
<?php
echo "Login Success";
echo "Username: shmailey";
echo "Password: password";
?>
</body>
</html>
From the little testing I did, it seems to work when including the session starts.
EDIT-- Patrick M noticed this in the comments of the question, I did not see that until after I posted the answer.