我需要根据数据库中给出的角色将用户重定向到不同的页面。登录页面上仅提供用户名和密码。我必须从数据库中获取角色,如下所示:
username | password | role
xxxxxx xxxxxx admin
xxxxxx xxxxxx trainer
xxxxxx xxxxxx trainer
xxxxxx xxxxxx Line Manager
这是我的代码:
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
$sql="SELECT * FROM login WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
$role = mysqli_fetch_array($result);
if($role == "Admin"){
header("location:index.php");
exit();
}
elseif($role['role'] == "Trainer"){
header("location:index1.php");
exit();
}
elseif($role['role'] == "Line Manager"){
header("location:index2.php");
exit();
}
elseif($role['role'] == "Client"){
header("location:client.php");
exit();
}
}
else {
echo "Wrong Username or Password";
}
?>
答案 0 :(得分:2)
在您的代码中,第一个if语句检查$role,而其他语句检查$role['role']。我的猜测是你试图以“管理员”身份登录,这就是为什么它无法正常工作。
你的代码比我最初意识到的要错得多。
您正在将mysql_ *函数与mysqli_ *函数混合使用。这不仅是错误的,而且已经弃用了mysql_ *函数。 You should no longer use them
您可以直接在select语句中使用POST变量,让自己对SQL注入开放。解决此问题的方法是使用prepared statements。
免责声明:我在相当长的一段时间内没有使用过mysqli,因此此处提供的代码可能包含错误。
<?php
// Connect to server and select database.
$db = new mysqli($host, $username, $password, $db_name);
if( $db->connect_errno ){
die('Unable to connect to database [' . $db->connect_error . ']');
}
// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
if ($stmt = $db->prepare("SELECT role FROM login WHERE `username`=? and `password`=?")) {
/* bind parameters for username and password */
$stmt->bind_param('ss', $myusername, $mypassword);
/* execute query */
$stmt->execute();
// If result matched $myusername and $mypassword, table row must be 1 row
if ($stmt->affected_rows == 1) {
// bind the result to a variable
$stmt->bind_result($role);
$stmt->fetch();
switch( $role ){
case 'Admin':
header("location:index.php");
exit();
case 'Trainer':
header("location:index1.php");
exit();
case 'Line Manager':
header("location:index2.php");
exit();
case 'Client':
header("location:client.php");
exit();
default:
echo "Wrong Username or Password";
}
}
$stmt->close();
}
$db->close();
?>
我个人更喜欢PDO(如下图所示)。我没有对代码进行测试,因此它也可能不完全准确,但它应该让你走上正确的道路。
<?php
// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
try {
// Connect to server and select database.
$db = new PDO("mysql:host=$host;dbname=$db_name", $username, $password);
$db->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
$stmt = $db->("SELECT *, COUNT(*) as count FROM login WHERE `username`=:user and `password`=:pass");
$stmt->bindParam(':user', $myusername);
$stmt->bindParam(':pass', $mypassword);
if ($row = $sth->fetch(PDO::FETCH_ASSOC)) {
$count = $row['count'];
// If result matched $myusername and $mypassword, table must be 1 row
if ($count == 1) {
switch( $row['role'] ){
case 'Admin':
header("location:index.php");
exit();
case 'Trainer':
header("location:index1.php");
exit();
case 'Line Manager':
header("location:index2.php");
exit();
case 'Client':
header("location:client.php");
exit();
default:
echo "Wrong Username or Password";
}
}
}
$db = null;
}
catch(PDOException $e) {
echo $e->getMessage();
}
?>
有关PDO的更多信息,请参阅:Why you Should be using PHP’s PDO for Database Access