登录系统:多用户(管理员和用户)

时间:2019-05-04 14:14:13

标签: php mysql

每次我使用用户帐户登录时,它将带我进入管理页面而不是用户页面。另外,我使用哈希算法来保护密码,但是每次尝试使用正确的密码登录时,密码将无法正常工作。

我可以使用Admin和User Accounts登录。但是,密码是经过哈希处理的,因此当我尝试使用该密码登录时它无法使用。当我注销时也会出现错误。我可以登录的唯一方法是,如果我手动更改了在mysql数据库上显示为散列的密码,则将其更改为原始密码(但是,此密码意味着该密码可以由该用户的每个用户看到,就像我拥有的​​一样)手动更改)。

<?php
session_start();
$heading = 'Login/Register';
require 'layout.php';
?>

<?php
$server = 'v.je';
$username = 'student';
$password = 'student';

$schema = 'csy2028';
$pdo = new PDO('mysql:dbname=' . $schema . ';host=' . $server, $username, $password,
[ PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION]);

if (isset($_POST['signup'])){
    $name = $_POST['name'];
    $email = $_POST['email'];
    $username = $_POST['username'];
    $password = $_POST['password'];
    $password_encrypted = password_hash($password, PASSWORD_BCRYPT);

    $insert = $pdo->prepare("INSERT INTO users (name, email, username, password)
    VALUES(:name, :email, :username, :password)");

    $insert->bindParam(':name', $name);
    $insert->bindParam(':email', $email);
    $insert->bindParam(':username', $username);
    $insert->bindParam(':password', $password_encrypted);
    $insert->execute();
}
else if (isset($_POST['login'])){
    $username = $_POST['username'];
    $password = $_POST['password'];
    $us=$_POST['userType'];

    $select = $pdo->prepare("SELECT * FROM users WHERE username='$username' and password='$password' and userType='$us' ");
    $select->setFetchMode(PDO::FETCH_ASSOC);
    $select->execute();

    $data=$select->fetch();
    $admin = "admin/ham123";
    $admin = "admin";

    if($data['username']!=$username && $data['password']!=$password){
        echo "invalid username or password";
    }
    else if($data['username']==$username && $data['password']==$password){
        $_SESSION['adminloggedin']=$data['email'];
        $_SESSION['name']=$data['name'];

    header("location:adminprofile.php");
    }

    else if($data['username']==$username && $data['password']==$password &&     $us==$data['userType']){
        $_SESSION['email']=$data['email'];
        $_SESSION['name']=$data['name'];

    header("location:userprofile.php");
    }
}

?>
<form id='login' action='login.php' method='post'>
<fieldset >
<legend>Login</legend>
<label for='username' >Username:</label>
<input type='text' name='username' id='username' maxlength="50" />
<label for='password' >Password*:</label>
<input type='password' name='password' id='password' maxlength="50" />
<select name="userType" >
            <option value="" disabled selected>Select User Type</option>
            <option value="User">User</option>
            <option value="Admin">Admin</option>
        </select>
        <label>User Type</label>
<button class="button" name="login" style="vertical-align:middle"><span>Login</span></button>
</fieldset>
</form>

<form id='register' action='login.php' method='post' enctype="multipart/form-data">
<fieldset >
<legend>Register User</legend>
<input type='hidden' name='submitted' id='submitted' value='1'/>
<label for='name' >Name: </label>
<input type='text' name='name' id='name' maxlength="50" />
<label for='email' >Email:</label>
<input type='text' name='email' id='email' maxlength="50" />
<label for='username' >Username:</label>
<input type='text' name='username' id='username' maxlength="50" />
<label for='password' >Password*:</label>
<input type='password' name='password' id='password' maxlength="50" />
<button class="button" name="signup" style="vertical-align:middle"><span>Register</span></button>
</fieldset>
</form>

<?php
require 'footer.php'
?>

1 个答案:

答案 0 :(得分:0)

您应更改密码验证码$data['password']==$password,该密码应为:

password_verify ($password , $data['password'])

编辑

您还有其他问题。选择:

 $select = $pdo->prepare("SELECT * FROM users WHERE username='$username' and password='$password' and userType='$us' ");
 $select->setFetchMode(PDO::FETCH_ASSOC);
 $select->execute();

将永远不会返回任何东西,因为您对密码进行了哈希处理以将其存储在数据库中,并且知道您正在将其与纯文本密码进行比较。您应该将其更改为:

$select = $pdo->prepare("SELECT * FROM users WHERE username='$username' and userType='$us' ");
$select->setFetchMode(PDO::FETCH_ASSOC);
$select->execute();

现在,您可以从数据库中获取密码哈希并进行比较。因此,其余代码应为:

if(!password_verify ($password , $data['password'])){
        echo "invalid username or password";
    } else if($data['userType']=='admin'){
        $_SESSION['adminloggedin']=$data['email'];
        $_SESSION['name']=$data['name'];
        header("location:adminprofile.php");
    } else {
        $_SESSION['email']=$data['email'];
        $_SESSION['name']=$data['name'];
        header("location:userprofile.php");
    }

您不需要验证用户,因为您已经在数据库中对其进行了验证。因此,如果密码错误,则会收到错误消息,如果可以,请测试用户类型是否为“ admin”(或所需的其他类型)。如果可以,请以管理员身份登录,否则以用户身份登录。

相关问题
最新问题