Question

我想基于登录用户的AccessLevel来保护“显示”页面

函数protect_page（）无法正常访问具有任何访问级别的任何用户

我使用两个表之间的关系：特权表

    +----------------------------------+
    |  AccessLevel | login_id  | pre_id|
    |----------------------------------|
    |      1       |    1     |   1    |
    |      2       |    1     |   2    | 
    |      4       |    2     |   4    |
    +----------------------------------+

这是login_pre table：

    +----------------------------------+
    |  username| userpass | login_id   |
    |----------------------------------|
    |      a   |    123   |   1        |
    |      a   |    123   |   1        | 
    |      b   |   1234   |   2        |
    +----------------------------------+

和特权页面代码

ob_start();
session_start();
include 'C:\xampp\htdocs\database\agtdatabase\agt_site\connection\connect.php';
$query ="SELECT * FROM privilege " ;
$result = mysqli_query($link,$query) or die('');    

             if(isset($_SESSION['sessionloginid']))// point to id of user logged in
        {  
        $query ="SELECT * FROM privilege where login_id='".$_SESSION['sessionloginid']."'" ;
        $result = mysqli_query($link,$query) or die('');
        while($row = mysqli_fetch_array($result, MYSQLI_ASSOC))
                {
        $access = $row['AccessLevel'];
            $_SESSION['sessionloginid'];
             echo $_SESSION['sessionaccess'];// output:  1
                }
        }

    ob_end_flush();

和保护页面的代码：

include_once('C:\xampp\htdocs\database\agtdatabase\agt_site\login2\privilege.php');

function login()
    {
return (isset($_SESSION['sessionloginid'])) ? true:false ;
echo $_SESSION['sessionloginid'];
    }login();



function privilege()
            {
                return $_SESSION['sessionaccess'];

                }

function protect_page(){
    if($_SESSION['sessionloginid']== true && $_SESSION['sessionaccess'] !=1 ){


header ('location:http://localhost/database/agtdatabase/agt_site/agtSite/agt2.php');    
//echo $_SESSION['sessionaccess']; output nothing when user a logged in
exit();             
    }

}

Answer 1

似乎有很多事情要解决，这里有几个：

//the if statement will only be entered if sessionloginid is set, only set inside the statement, which will never be entered
if(isset($_SESSION['sessionloginid'])) {  
    //you should use prepared statements.  Query will never run here, since the sessionloginid is never set.
    $query ="SELECT * FROM privilege where login_id='".$_SESSION['sessionloginid']."'" ;
    //your login_id used above is not unique.  It should be a key, and autoincremented
    $result = mysqli_query($link,$query) or die('');
    //since login_id is not unique, this while loop will replace the session variables you will set with the last row returned.
    while($row = mysqli_fetch_array($result, MYSQLI_ASSOC)) {
        //storing access level, but never used again
        $access = $row['AccessLevel'];
        //the following two lines don't do anything
        $_SESSION['sessionloginid'];
        $_SESSION['sessionaccess'];
        //Example replacement: $_SESSION['sessionloginid'] = $row['login_id'];
    }
}

下一期：

function login() {
    //this function will return true or false, but does not set or do anything.  Intentional?
    return (isset($_SESSION['sessionloginid'])) ? true:false ;
    //this echo will not run, since the function stops on return
    echo $_SESSION['sessionloginid'];
}
//calling login here does nothing, since login only returns a Boolean value.
login();

保护永远不会运行header（），因为sessionloginid永远不会设置为true，并且永远不会设置会话访问。

function protect_page(){
  //sessionloginid is never set, so will never be true
  if($_SESSION['sessionloginid']== true && $_SESSION['sessionaccess'] !=1 ){
    header ('location:http://localhost/database/agtdatabase/agt_site/agtSite/agt2.php');    
    //echo $_SESSION['sessionaccess']; output 12 when user a logged in
    exit();             
  }
}

我意识到这并没有完全回答这个问题，但我希望能让你朝着正确的方向前进。解决这些问题，让我知道你得到了什么。旁注：login_id应该是表键，我想。它应该是自动增量和独特的。否则，您可以获得多个结果，而不是唯一的用户登录。例如，login_id为1可以授予访问级别1或2，因为每个访问级别的login_id为1。

如何保护“显示”页面？

1 个答案: