拒绝访问PHP的登录

Question

我有一个买家的形式，被称为 “Buyer.php”：

<form method="post" action="check_buyer.php" id="LoggingInBuyer"> 
    <div style="width:265px;margin:0; padding:0; float:left;"> 
    <label>Username:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<span><a href="#">Forgot Username?</span></a></label> <br /> 
    <input id="UserReg" style="width:250px;" type="text" name="userName" tabindex="1" class="required" /></div> 
    <div style="width:265px;margin:0; padding:0; float:right;"> 
    <label>Password:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<span><a href="#">Forgot Password?</span></a></label> <br /> 
    <input id="UserReg" style="width:250px;" type="password" name="userPass" tabindex="2" class="required" /></div> 
    <div class="clearB"> </div> 
    <input type="submit" style="width:100px; margin:10px 200px;" id="UserRegSubmit" name="submit" value="Login" tabindex="3" /> 
</form> 

一个名为check_buyer.php（在相同的目录）：

<?php 
session_start(); #recall session from index.php where user logged include() 

function isLoggedIn() 
{ 
    if(isset($_SESSION['valid']) && $_SESSION['valid']) 
     header('Location: buyer/'); # return true if sessions are made and login creds are valid 
    echo "Invalid Username and/or Password"; 
    return false; 
} 

require_once('../inc/db/dbc.php'); 

$connect = mysql_connect($h, $u, $p) or die ("Can't Connect to Database."); 
mysql_select_db($db); 

$LoginUserName = $_POST['userName']; 
$LoginPassword = mysql_real_escape_string($_POST['userPass']); 
//connect to the database here 
$LoginUserName = mysql_real_escape_string($LoginUserName); 
$query = "SELECT uID, uUPass, dynamSalt, uUserType FROM User WHERE uUName = '$LoginUserName';"; 

function validateUser($ifUserExists['uID'], $ifUserExists['uUserType']) { 
    $_SESSION['valid'] = 1; 
    $_SESSION['uID'] = $uID; 
    $_SESSION['uUserType'] = $uUserType; // 1 for buyer - 2 for merchant 
} 

$result = mysql_query($query); 
if(mysql_num_rows($result) < 1) //no such USER exists 
{ 
    echo "Invalid Username and/or Password"; 
} 
$ifUserExists = mysql_fetch_array($result, MYSQL_ASSOC); 

$dynamSalt = $ifUserExists['dynamSalt']; #get value of dynamSalt in query above 
$SaltyPass = hash('sha512',$dynamSalt.$LoginPassword); #recreate originally created dynamic, unique pass 

if($SaltyPass != $ifUserExists['uUPass']) # incorrect PASS 
{ 
    echo "Invalid Username and/or Password"; 
}else { 
    validateUser(); 
} 
// If User *has not* logged in yet, keep on /login 
if(!isLoggedIn()) 
{ 
    header('Location: index.php'); 
    die(); 
} 
?> 

//现在抛出错误：解析错误：语法错误，意外的'['，期待'）'在线23即function validateUser($ifUserExists['uID'], $ifUserExists['uUserType']) {

并在买方/目录下的文件“的index.php”：

<?php 
session_start(); 
if($_SESSION['uUserType']!=1) 
{ 
    die("You may not view this page. Access denied."); 
} 

function isLoggedIn() 
{ 
    return (isset($_SESSION['valid']) && $_SESSION['valid']); 
} 

//if the user has not logged in 
if(!isLoggedIn()) 
{ 
    header('Location: index.php'); 
    die(); 
} 
?> 

<?php 
    if($_SESSION['valid'] == 1){ 
     #echo "<a href='../logout.php'>Logout</a>"; 
     require_once('buyer_profile.php'); 
    }else{ 
     echo "<a href='../index.php'>Login</a>"; 
    } 
?> 

这样做的一点是，在输入用户名和密码时，该用户登录并定向到/buyer/index.php，到该网站的部分为buyer。似乎每次我使用我制作的虚拟凭证登录时，它只是脱口而出：You may not view this page. Access denied。但是，如果我通过在浏览器中按回箭头返回，它有我logged in和showing a link to logout。

我做了一些故障排除： 1）显示在这里，测试我的sql query是好的，的确如此。 http://i.stack.imgur.com/n2b5z.png

2）尝试choing出echo 'the userid: ' . $userid;它哼唧约You may not view..之前，它不会显示任何信息。

我该如何去得到这个userID？我双重检查的字段名称在数据库中，所有的罚款..

Answer 1

从快速检查，它看起来像你设定validateUser()$_SESSION['uUserType'] = $userType，但似乎并没有被传递$userType自己该功能。所以$_SESSION['uUserType']不会是1，但$_SESSION['valid']将是，因为您将其设置为validateUser()。

我怀疑你应该将有效数据传递到validateUser以便将其设置到会话中。

例如

validateUser($ifUserExists['uID'], $ifUserExists['uUserType']); 

function validateUser($uID, $uUserType) { 
    $_SESSION['valid'] = 1; 
    $_SESSION['uID'] = $uID; 
    $_SESSION['uUserType'] = $uUserType; // 1 for buyer - 2 for merchant 
}