从数据库中提取用户访问级别并添加到会话

时间:2014-01-17 11:59:28

标签: php mysql login acl

我正在研究一个简单的PHP& MySQL应用程序已经被要求添加简单的ACL功能,包括3个访问级别,admin(可以完成所有操作),编辑器(可以添加和编辑数据)和阅读器(只能读取数据并进行零编辑)。

我为每个角色分配了一个值,1为admin,2为编辑器,3为阅读器,并将其添加到用户添加表单和db,我现在需要的是一种方法,可以将其拉入登录会话,以便可以在各个级别(菜单和一些页面)进行检查。

到目前为止,我到目前为止的情况如下。

登录功能

    public function login($username, $password) {

    global $bcrypt;  // Again make get the bcrypt variable, which is defined in init.php, which is included in login.php where this function is called

    $query = $this->db->prepare("SELECT `password`, `id` FROM `users` WHERE `username` = ?");
    $query->bindValue(1, $username);

    try{

        $query->execute();
        $data               = $query->fetch();
        $stored_password    = $data['password']; // stored hashed password
        $id                 = $data['id']; // id of the user to be returned if the password is verified, below.


        if($bcrypt->verify($password, $stored_password) === true){ // using the verify method to compare the password with the stored hashed password.
            return $id; // returning the user's id
        }else{
            return false;   
        }

    }catch(PDOException $e){
        die($e->getMessage());
    }

}

登录页面。

<?php
$title = "Login";
require_once 'includes/header.php';
$general->logged_in_protect();
?>

<h1>Login</h1>

<?php 
    if(empty($errors) === false){
        echo '<p>' . implode('</p><p>', $errors) . '</p>';  
}
?>

<form method="post" action="">
    <h4>Username:</h4>
<input type="text" name="username" value="<?php if(isset($_POST['username'])) echo htmlentities($_POST['username']); ?>" />
<h4>Password:</h4>
<input type="password" name="password" />
<br>
<input type="submit" name="Login" />
</form>
<br>
<a href="confirm-recover.php">Forgot your username/password?</a>

<?php
require_once 'includes/footer.php';
if (empty($_POST) === false) {

$username = trim($_POST['username']);
$password = trim($_POST['password']);

if (empty($username) === true || empty($password) === true) {
    $errors[] = 'Sorry, but we need your username and password.';
} else if ($users->user_exists($username) === false) {
    $errors[] = 'Sorry that username doesn\'t exists.';
} else if ($users->email_confirmed($username) === false) {
    $errors[] = 'Sorry, but you need to activate your account. 
                 Please check your email.';
} else {
    $login = $users->login($username, $password);
    if ($login === false) {
        $errors[] = 'Sorry, that username/password is invalid';
    }else {
        session_regenerate_id(true);// destroying the old session id and     creating a new one
        $_SESSION['id'] =  $login;

        header('Location: index.php');
        exit();
    }
}
} 
?>

希望有人能够指出我正确的方向。

1 个答案:

答案 0 :(得分:1)

在下面看看我做了什么“/ *编辑在这里* /”。你需要运行session_start();在页面顶部发起会话;它应该在Config文件中。然后,您需要从数据库中提取它并将其存储在$ _SESSION全局变量中。

我从你的G +中知道你是PHP的新手。但是,做PHP的最糟糕的方法之一是使用内联PHP。它不一定是 / wrong / 但你应该避免在线php。保持PHP和HTML分离,排序错误要容易得多。

    public function login($username, $password) {

    global $bcrypt;  // Again make get the bcrypt variable, which is defined in init.php, which is included in login.php where this function is called

    /* EDIT IS HERE */
    $query = $this->db->prepare("SELECT `password`, `AccessLevel`, `id` FROM `users` WHERE `username` = ?");
    $query->bindValue(1, $username);

    try{

        $query->execute();
        $data               = $query->fetch();
        $stored_password    = $data['password']; // stored hashed password
        $id                 = $data['id']; // id of the user to be returned if the password is verified, below.


        if($bcrypt->verify($password, $stored_password) === true){ // using the verify method to compare the password with the stored hashed password.

            /* EDIT IS HERE */
            $_SESSION['AccessLevel'] = $data['AccessLevel'];
            return $id; // returning the user's id
        }else{
            return false;   
        }

    }catch(PDOException $e){
        die($e->getMessage());
    }

}

登录页面

<?php
$title = "Login";
/* EDIT IS HERE */
session_start();


require_once 'includes/header.php';
$general->logged_in_protect();
?>

<h1>Login</h1>

<?php 
    if(empty($errors) === false){
        echo '<p>' . implode('</p><p>', $errors) . '</p>';  
}
?>

登录页面底部

<?php
require_once 'includes/footer.php';
if (empty($_POST) === false) {

$username = trim($_POST['username']);
$password = trim($_POST['password']);

if (empty($username) === true || empty($password) === true) {
    $errors[] = 'Sorry, but we need your username and password.';
} else if ($users->user_exists($username) === false) {
    $errors[] = 'Sorry that username doesn\'t exists.';
} else if ($users->email_confirmed($username) === false) {
    $errors[] = 'Sorry, but you need to activate your account. 
                 Please check your email.';
} else {
    $login = $users->login($username, $password);
    if ($login === false) {
        $errors[] = 'Sorry, that username/password is invalid';
    }else {

        /* EDIT IS HERE */
        //session_regenerate_id(true);
        // destroying the old session id and     creating a new one
        if($_SESSION['AccessLevel'] = "GURU"){

            $_SESSION['id'] =  $login;

            header('Location: index.php');
            exit();
        }
    }
}
} 
?>
相关问题
最新问题