php阻止用户查看日志

Question

<form method = "post" action = "<?php echo $_SERVER['PHP_SELF']; ?>" />
Username:<input type = "text" name ="user"> <br />
Password:<input type = "password" name = "pass"><br />
<input type = "submit" value ="View Logs!"><br />
 <?php
$user = $_POST['user'];
$pass = $_POST['pass'];

//Problem here, I need to only allow the user to see logs 
// after he or she has entered the correct info.
//Currently code just shows all, when the user hits View Logs
// without any credentials
if (($user == "php")  && ($pass == "student"))
echo "Enjoy the Logs!";
else echo  "<b>Access Denied!</b>";
 ?>

Answer 1

问题是您的表单直接发送到log.txt，而不是在表单提交后处理任何PHP。您需要将操作更改为post到PHP文件本身，然后在检查密码后使用http_redirect将用户重定向到log.txt。

尽管如此，它仍然不是很安全，因为任何人都可以通过直接的网址访问log.txt，所以你需要在那里进行某种授权。最好的做法可能是将log.txt存储在无法通过HTTP访问的地方，然后使用readfile加载并显示该文件，而不是使用您的echo：

<form action="" method="post">
    Username:<input type="text" name="user"/> <br />
    Password:<input type="password" name="pass"/><br />
    <input type="submit" value="View Logs!"/><br />
</form>
 <?php
    $user = $_POST['user'];
    $pass = $_POST['pass'];
    if (($user == "php")  && ($pass == "student")) {
        echo '<pre>';
        readfile('log.txt');
        echo '</pre>';
    }
    else {
        echo  "<b>Access Denied!</b>";
    } 
?>

Answer 2

<?
  if ( 
    isset( $_POST['user'] )
    && isset( $_POST['pass'] ) 
  ) {
    $user = $_POST['user'];
    $pass = $_POST['pass'];

    if (
        ($user == 'php')
        && ($pass == 'student')
    ) {
      echo "Enjoy the Logs!";

      readfile('log.txt');
    }
    else {
      echo '<b>Access Denied!</b>';
    }
  } else {
    ?>
      <form method="post">
      Username:<input type="text" name="user"> <br />
      Password:<input type="password" name="pass"><br />
      <input type="submit" value="View Logs!"><br />
    <?
  }