php如何防止别人跳过登录直接访问你的控制器,方法有很多,其中一种就是token
思路,创建用户表时,就直接加一个token字段,用来存储token,前端会在JS公共的加一个token,加了之后,每个页面都会多一个token,此时便可以通过token判断是哪个用户做了什么。以便记录。
实战:
- 数据库设计
- 登录接口
public function Login(){
try{
$username = $_REQUEST['username'];
$password = $_REQUEST['password'];
$password = trim($password);
$password = md5(md5($password) . sha1($password));
if(empty($username))
{
throw new Exception("请输入用户名");
}
if(empty($password))
{
throw new Exception("请输入密码");
}
$tableName = 'user';
$sql = "select * from " . $tableName . " where username='" . $username . "' and password='" .$password. "'";
$res = Db::query($sql);
if(!(is_array($res) && !empty($res)))
{
throw new Exception("用户名或密码错误");
}
$userInfo = $res[0];
$token = $this->getUserToken(32);
$table = 'user';
$data = array(
'token' => $token,
'token_create' => time(),
'expire' => '3600'
);
$where = array(
'id' => $userInfo['id']
);
$code = Db::table($table)->where($where)->update($data);
$result = array(
'id' => $userInfo['id'],
'token' => $token,
'username' => $userInfo['username'],
'user_type' => $userInfo['type'],
);
$this->ajaxReturn(array(
'code' => 1,
'msg' => '登录成功',
'data' => $result,
));
}catch(Exception $e){
$this->ajaxReturn(array(
'code' => -1,
'msg' => $e->getMessage()
));
}
}
function getUserToken($length)
{
$length = abs($length);
$n = max(1, 32 - $length);
$n = mt_rand(0, $n);
return substr(md5(uniqid()), $n, $length);
}
private function ajaxReturn($data)
{
header('Content-Type:application/json; charset=UTF-8');
echo json_encode($data);
exit;
}
3.基础控制器 $username = $_REQUEST['username'];
$pas
class BaseController extends Controller{
/**
* 控制器名
*/
protected $controller;
/**
* 动作方法名,字符串中不包括on
*/
protected $action;
/**
* 当前登录用户信息
*/
protected $user;
public function __construct () {
$headers = getallheaders();
// if ($headers['X-Requested-With'] != 'XMLHttpRequest') {
// exit;
// }
// print_r($_SERVER);
if (strtolower($_SERVER['REQUEST_METHOD']) == 'options') {
exit;
}
// $token = isset($headers['Authorization']) ? $headers['Authorization'] : '';
$token = isset($headers['Authorization']) ? $headers['Authorization'] : (isset($headers['authorization']) ? $headers['authorization'] : '');
$flag = false;
if($token)
{
$tableName = 'user';
$sql = "select * from " . $tableName . " where token='" . $token . "' ";
$model = Model::Agg();
$res = $model->getLocalData($sql);
if(isset($res[0]) && !empty($res[0]))
{
$expireTime = intval($res[0]['token_create']) + intval($res[0]['expire']);
if($expireTime > time())
{
$this->user = $res[0];
$flag = true;
}
}
}
if(!$flag)
{
//未登录,跳转到登录页
$this->ajaxReturn(array(
'code' => 401,
'msg' => 'Unauthorized'
));
}
}
/**
* 当前登录用户信息
*/
public function getUserInfo()
{
return $this->user;
}
/**
* 当前登录用户id
*/
public function getUserId()
{
$userInfo = $this->user;
$id = isset($userInfo['id']) ? $userInfo['id'] : '';
return $id;
}
/**
* 当前登录用户名
*/
public function getUserName()
{
$userInfo = $this->user;
$username = isset($userInfo['username']) ? $userInfo['username'] : '';
return $username;
}
/**
* 当前登录用户类型
*/
public function getUserType()
{
$userInfo = $this->user;
$type = isset($userInfo['type']) ? $userInfo['type'] : '';
return $type;
}
/**
* 当前登录用户id
*/
public function isLogin()
{
return $this->user ? true : false;
}
/**
* 验证token
*/
// public function checkToken()
// {
// $headers = getallheaders();
// $token = isset($headers['Authorization']) ? $headers['Authorization'] : '';
// $flag = false;
// if(empty($this->user))
// {
// header('HTTP/1.1 401 Unauthorized');
// header('status: 401 Unauthorized');
//
// header('HTTP/1.1 200 ok');
// header('status: 200 ok');
// exit;
// }
//
// }
/**
* 封装跳转
*/
# public function redirect($url){
# header('location:' . $url);
# exit;
# }
public function ajaxReturn($data)
{
header('Content-Type:application/json; charset=UTF-8');
echo json_encode($data);
exit;
}
sword = $_REQUEST['password'];
$password = trim($passworassword = md5(md5($password) . sha1($pas
if(empty($username))
throw new Exception("请输入用户名");
}
if(empty($password))
{
throw new Exception("请输入密码");
}
$tableName = 'user';
$sql = "select * from " . $tableName . " where username='" . $username . "' and password='" .$password. "'";
$res = Db::query($sql);
if(!(is_array($res) && !empty($res)))
{
throw new Exception("用户名或密码错误");
}
$userInfo = $res[0];
$token = $this->getUserToken(32);
$table = 'user';
$data = array(
'token' => $token,
'token_create' => time(),
'expire' => '3600'
);
$where = array(
'id' => $userInfo['id']
);
$code = Db::table($table)->where($where)->update($data);
$result = array(
'id' => $userInfo['id'],
'token' => $token,
'username' => $userInfo['username'],
'user_type' => $userInfo['type'],
);
$this->ajaxReturn(array(
'code' => 1,
'msg' => '登录成功',
'data' => $result,
));
}catch(Exception $e){
$this->ajaxReturn(array(
'code' => -1,
'msg' => $e->getMessage()
));
}
}
function getUserToken($length)
{
$length = abs($length);
$n = max(1, 32 - $length);
$n = mt_rand(0, $n);
return substr(md5(uniqid()), $n, $length);
}
private function ajaxReturn($data)
{
heade
class BaseController extends Controller{
/**
* 控制器名
*/
protected $controller;
/**
* 动作方法名,字符串中不包括on
*/
protected $action;
/**
* 当前登录用户信息
*/
protected $user;
public function __construct () {
$headers = getallheaders();
// if ($headers['X-Requested-With'] != 'XMLHttpRequest') {
// exit;
// }
// print_r($_SERVER);
if (strtolower($_SERVER['REQUEST_METHOD']) == 'options') {
exit;
}
// $token = isset($headers['Authorization']) ? $headers['Authorization'] : '';
$token = isset($headers['Authorization']) ? $headers['Authorization'] : (isset($headers['authorization']) ? $headers['authorization'] : '');
$flag = false;
if($token)
{
$tableName = 'user';
$sql = "select * from " . $tableName . " where token='" . $token . "' ";
$model = Model::Agg();
$res = $model->getLocalData($sql);
if(isset($res[0]) && !empty($res[0]))
{
$expireTime = intval($res[0]['token_create']) + intval($res[0]['expire']);
if($expireTime > time())
{
$this->user = $res[0];
$flag = true;
}
}
}
if(!$flag)
{
//未登录,跳转到登录页
$this->ajaxReturn(array(
'code' => 401,
'msg' => 'Unauthorized'
));
}
}
/**
* 当前登录用户信息
*/
public function getUserInfo()
{
return $this->user;
}
/**
* 当前登录用户id
*/
public function getUserId()
{
$userInfo = $this->user;
$id = isset($userInfo['id']) ? $userInfo['id'] : '';
return $id;
}
/**
* 当前登录用户名
*/
public function getUserName()
{
$userInfo = $this->user;
$username = isset($userInfo['username']) ? $userInfo['username'] : '';
return $username;
}
/**
* 当前登录用户类型
*/
public function getUserType()
{
$userInfo = $this->user;
$type = isset($userInfo['type']) ? $userInfo['type'] : '';
return $type;
}
/**
* 当前登录用户id
*/
public function isLogin()
{
return $this->user ? true : false;
}
/**
* 验证token
*/
// public function checkToken()
// {
// $headers = getallheaders();
// $token = isset($headers['Authorization']) ? $headers['Authorization'] : '';
// $flag = false;
// if(empty($this->user))
// {
// header('HTTP/1.1 401 Unauthorized');
// header('Content-Type:application/json; charset=UTF-8');
echo json_encode($data);