PHP&每个成员组的MySQL限制区域

时间:2013-03-04 12:59:36

标签: php mysql permissions

我有一个表$ $成员有4个colums($ id,$ username,$ password,$ usergroup)含义(1,john,123,admin)。我喜欢用户组管理员可以访问一个页面,而usergroup成员和访客没有。

这是我在索引页面上的登录表单:

 <table width="300" border="0" align="center" cellpadding="0" cellspacing="1"      bgcolor="#CCCCCC">
 <tr>
 <form name="form1" method="post" action="checklogin.php">
 <td>
 <table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
 <tr>
 <td colspan="3"><strong>Member Login </strong></td>
 </tr>
 <tr>
 <td width="78">Username</td>
 <td width="6">:</td>
 <td width="294"><input name="myusername" type="text" id="myusername"></td>
 </tr>
 <tr>
 <td>Password</td>
 <td>:</td>
 <td><input name="mypassword" type="password" id="mypassword"></td>
 </tr>
 <td>&nbsp;</td>
 <td>&nbsp;</td>
 <td><input type="submit" name="Submit" value="Login"></td>
 </tr>
 </table>
 </td>
 </form>
 </tr>
 </table>

这是我的checklogin.php

<?php
////// 
////// Checks for members 
//////
$host="localhost"; // Host name 
$username="#"; // Mysql username 
$password="#"; // Mysql password 
$db_name="#"; // Database name 
$tbl_name="members"; // Table name 


// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form 
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword'];  

// encrypt password 
$encrypted_mypassword=md5($mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and                password='$encrypted_mypassword'";
$result=mysql_query($sql);

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){

// Register $myusername, $mypassword and redirect to file "manage-post.php"
session_register("myusername");
session_register("mypassword"); 
header("location:../admincp/manage-post.php");
}
else {
echo "Wrong Username or Password";
}
?>

这是放在我的每个页面上,以检查一个人是否已登录并允许访问已记录的用户并限制对未记录的访问:

<?php
////////
//////// Checks are you logged in or logged out
////////
session_start();
if(!session_is_registered(myusername)){
header("location:main_login.php");
}
?>

那么上面最后一段代码应该调整一下,以便某些页面只允许使用$ usergroup = admin的成员和阻止用户使用$ usergroup = member或guest?

2 个答案:

答案 0 :(得分:1)

在SESSION中存储了$ usergroup   $_SESSION['usergroup']=$usergroup 并在此代码中添加您想要的条件 喜欢, if($_SESSION['usergroup']==admin) { //condition }

答案 1 :(得分:1)

向您的表添加权限列,为您希望他们有权访问的成员分配(管理员,经理)权限。然后添加会话权限变量:

/* in login validation form */   
$data = mysql_fetch_array($results);
$priv = $data['privilege'];

$(!$_SESSION){
$_SESSION(start);
$_SESSION['user'] = $myusername;
$_SESSION['priv'] = $priv;
}
/* in the file which you want to restrict access to */
if($_SESSION['priv'] != 'manager' || $_SESSION['priv'] != 'admin'){
header("location:main_login.php");
}