我在PHP MySQL中遇到多级用户登录问题。我已经有了代码,但用户仍然可以访问管理网站,我的代码有什么问题?仍然,我确实有管理员和用户帐户的会话问题。谢谢!这是我的代码。
require('db.php');
session_start();
if (isset($_POST['username'])){
$account = stripslashes($_REQUEST['account']);
$account = mysqli_real_escape_string($con,$account);
$username = stripslashes($_REQUEST['username']); // removes backslashes
$username = mysqli_real_escape_string($con,$username); //escapes special
characters in a string
$password = stripslashes($_REQUEST['password']);
$password = mysqli_real_escape_string($con,$password);
//Checking is user existing in the database or not
$query = "SELECT * FROM users_detail WHERE account = '$account',username=
'$username' and password= '$password' ";
$result = mysqli_query($con,$query);
$rows = mysqli_num_rows($result);
if($account == "admin" && $rows['username'] = $username &&
$rows['password']=$password){
$_SESSION['username'] = $username;
header("Location: index.php"); // Redirect user to index.php
}
if($account == "user" && $rows['username'] = $username &&
$rows['password']=$password){
$_SESSION['username'] = $username;
header("Location: add user.php"); // Redirect user to index.php
}else{
echo " <div class='alert'>
Username/password is incorrect. Click <a href = 'login.php'>here</a> to log-in.
</div> ";
}
}else{
?>`
答案 0 :(得分:0)
mysqli_num_rows($result)
返回行数。
因此,在$result = mysqli_query($con,$query);
之后,您需要使用mysqli_fetch_array($query)
答案 1 :(得分:0)
您所谈论的是RBAC(角色基本访问控制)。
if($account == "admin" && $rows['username'] = $username && $rows['password']=$password){
$_SESSION['username'] = $username;
$_SESSION['access'] = $account;
}
在您希望管理员访问的网页上,您可能应该将用户重定向到家中或发送未经授权的访问消息。
if(isset($_SESSION['access']) && $_SESSION['access'] != 'admin') {
header("Location: index.php");
}
此外,如果您正在根据角色寻找更多控制权,我建议您使用类似的库 http://phprbac.net/
答案 2 :(得分:0)
首先,像使用$ account一样创建管理员角色 当用户登录时将admin_role保存在会话中,
$admin_user = $_SESSION['admin_user'] ;
$normal_user = $_SESSION['normal_user'] ;
管理员网站中的,例如admin.php,您不希望普通用户查看的页面 写这个{完美地写在header.php}
if(isset($_SESSION['username'])){
//meaning user is logged in
if(isset($_SESSION['admin_user']) or isset($_SESSION['normal_user'])){
if( $_SESSION['admin_user'] !== 'admin_user' ){
header('Location: somewhere.php');
}
}
}else{
//meaning user is not logged or session had terminated
header('Location: index.php');
}
答案 3 :(得分:0)
您似乎正在尝试在您的网站上实施基于角色的访问控制。
以下是使用预准备语句的可能实现:
<?php
// db.php should create a mysqli insance:
// $con = new mysqli("host", "username", "password", "databaseName");
require('db.php');
session_start();
if (isset($_POST['username']) && isset($_POST['password'])) {
//Checking is user existing in the database or not
$query = "SELECT * FROM users_detail WHERE username = ? and password = ?";
//use prepared statement
$stmt = $con->prepare($query);
$stmt->bind_param('ss', $_POST['username'], $_POST['password']);
$stmt->execute();
$result = $stmt->get_result();
if ($result->num_rows !== 0) {
//fetch user from database.
$user = $result->fetch_assoc();
//check if user is an admin.
if($user['account'] === "admin") {
$_SESSION['username'] = $username;
header("Location: admin.php"); //admin's page
}
//check if user is a normal user.
if($user['account'] === "user") {
$_SESSION['username'] = $username;
header("Location: user.php"); //user's page
}
} else {
echo '<div class="alert">Username/password is incorrect. Click <a href="login.php">here</a> to log-in.</div>';
}
//free memory used by the prepared statement.
$stmt->close();
} else {
//username and password not provided.
}
?>
答案 4 :(得分:0)
这是完整的解决方案,
1,在您的用户表中,您需要创建一个列调用user_role 表中的每个用户都是admin或normal_user
在log.php中2,首先获取数据库获取user_role值,当您验证用户密码和db密码时,保存为会话。
<?php
if( isset($_POST['login_btn'])){ // someone click login btn
$username = clean($_POST['username']);
//clean is the custom function to remove all harmful code
$password = clean($_POST['password']);
// run query to get db username & password i am using prepare stmt for more secure , you can use mysqli_fetch_array , but need to implement mysql_real_escape_string for sql injection
$stmt = mysqli_prepare($connection,"SELECT username,password,email,user_role FROM your table WHERE username = ? ");
//$connection is your db connection
mysqli_stmt_bind_param($stmt, "s", $username);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt, $bind_username,$bind_password,$bind_email,$bind_user_role);
confirm($stmt); // confirm is also custom function to check query is successful execute
while (mysqli_stmt_fetch($stmt)) {
$db_username = $bind_username;;
$db_password = $bind_password ;
$db_email = $bind_email ;
$user_role = $bind_user_role ;
}
// do form validation
if($username =="" or $password =="" ){
echo 'All Fileds Are Required';
}elseif( $username !== $db_username ){
echo 'username not existed';
}else{
if( password_verify($password, $db_password)){
// assuming your using password_hash function to verify , or you can just use simply compare $password == db_password
// if password_verify return true meaning correct password then save all necessary sessions
$_SESSION['username'] = $db_username ;
$_SESSION['user_email'] = $db_email ;
$_SESSION['user_role'] = $user_role ;
// first method -> header('Location: portal.php');
// you can now direct to portal page{1st method } where all admin or normal user can view
// or you can now do separate redirection (2nd method below )
// remember $user_role will == 'admin' or 'normal_user'
if( $user_role == 'admin' ){
header('Location: page_admin_will_view.php');
}elseif( $user_role == 'normal_user' ){
header('Location: page_normal_user_will_view.php');
}
}else{
echo 'incorrect password';
}
}
} // end of post request
?>
3普通用户如何不小心访问管理页面? 我们已经考虑过这个并做了一些额外的工作 将下面的代码放在page_admin_will_view.php标题
中<?php
if( isset($_SESSION['user_role'] )){
// meaning user is logged in
if( $_SESSION['user_role'] !== 'admin'){
// meaning user_role is not amind , redirect to the page normal user belongs to
header("Location: ../normal_users.php");
}
} else{
//redirect to somewhere meaning user is not logged in
header("Location: ../somewhere.php");
}
?>
我希望这会对你有所帮助,而我正在使用它,它可能不是一个完美的解决方案。但它对我有用。哈哈