我想创建一个带登录的管理页面,如果用户已登录并且他在我的数据库中是管理员,则必须显示内容,如果不是管理员,则会显示内容但没有某些权限。如果用户和密码与任何用户和密码表单数据库不匹配,则必须出现消息错误。
这是我的HTML代码:
<form action="admin.php" method="post">
<table>
<tr><td>
<label>User:   </label> </td> <td><input type="text" class="text" name="user"/> <span></span>
</td></tr>
<tr><td>
<label>Password:</label> </td> <td> <input type="password" class="text" name="pass"/> <span></span>
</td></tr>
<tr ><td colspan="2">
<p align=center><input type="submit" class="submit" value="Log In" /> </p>
</td></tr>
这是我的PHP代码:
<?php
require_once('config.php');
$user = $_POST['user'] ;
$pass = $_POST['pass'] ;
$sql='SELECT * FROM users';
$result = mysql_query($sql);
$row = mysql_fetch_array($result);
?>
我的表是:
|ID_user| user |password|is_admin|
| 1 |admin | admin | 1 |
谢谢!
答案 0 :(得分:3)
我做到了!答案是:
admin.php的
<div id="content">
<div id="main_r">';
require_once('config.php');
if (isset($_GET['err'])){
$err=$_GET['err'];
if($err==1)
echo'<h4>Pls insert user and pass!</h4>';
else if ($err==2)
echo'<h4>User and pass are incorect!</h4>';
}
if(!isset($_COOKIE["TestCookie"]))
echo'
<form action="dologin.php" method="post">
<table>
<tr><td>
<label>User:   </label> </td> <td><input type="text" class="text" name="user"/> <span></span>
</td></tr>
tr><td>
<label>Pass:</label> </td> <td> <input type="password" class="text" name="pass"/> <span></span>
</td></tr>
<tr ><td colspan="2">
<p align=center><input type="submit" class="submit" value="Log In" /> </p>
</td></tr>
</table>';
else{
$curr = $_COOKIE['TestCookie'];
$sql = "SELECT user, admin FROM useri WHERE ID_user='$curr'";
$result = mysql_query($sql);
$row = mysql_fetch_array($result);
echo'<h4>Welcome '.$row['user'].'</h4>
</div>';
}
dologin.php
<?php
require_once('config.php');
if (isset($_POST['user']) && isset($_POST['pass']))
{
$user = $_POST['user'] ;
$pass = $_POST['pass'] ;
$pass_hash = md5($pass);
$err = 0;
if (!empty($user) && !empty($pass))
{
$sql="SELECT ID_user FROM useri WHERE user='$user' AND password='$pass_hash'";
$result = mysql_query($sql);
$row = mysql_fetch_array($result);
if ($result)
{
$num_rows = mysql_num_rows($result);
if($num_rows==0)
$err=2;
else if ($num_rows==1)
{
$ID_user = $row['ID_user'];
//echo $ID_user;
setcookie("TestCookie",$ID_user, time()+3600);
}
}
} else
$err=1;
header("Location: http://yoursite/admin.php?err=".$err);
exit;
}
?>
答案 1 :(得分:2)
你的SQL已经......不好。你正在使用mysql_,但现在让我们跳过它。您没有检查用户是否存在以及密码是否匹配。
$result = mysql_query("SELECT * FROM `users` WHERE `username` = $user AND `password` = $pass");
if(mysql_num_rows($result) > 0) { //so if user exists where user = adimouse91 and pass = mouse, it'll be one
echo 'this is content for logged in users';
}
$isAdmin = mysql_fetch_assoc($result);
if($isAdmin['is_admin'] == '1') {
echo 'this is content for admins';
}
我没有考虑一般的密码盐和散列(你应该做的!)或会话。会话让您的生活更轻松(想象一下,如果您可以做if($_SESSION['admin'] == 1) { }
!)。