我正在尝试开发一个客户和管理员都可以登录的登录系统。客户将被发送回索引,管理员将被发送到控制面板。我的数据库中有一个用户表。这里有一个定义用户的级别;客户级别= 1且管理级别= 0。
我对PHP很新,并一直在互联网上寻找答案。我找到了我需要的两个版本。我不是100%确定它们是正确的,哪种是最好的。
示例1:
//indicate that sessions are to be used or started
session_start();
// Define $myusername and $mypassword from the form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
// Query
$result= $dbh->query("SELECT * FROM users WHERE username='$myusername' AND password='$mypassword';");
// Mysql_num_row is counting table row
$count = $result->rowCount();
// Determine if user is "user" or "admin"
$userlevel = mysqli_query($con,"SELECT level FROM users WHERE username='$myusername';");
$level = mysql_fetch_row($userlevel);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1) {
// Start session, register $myusername, $mypassword and redirect to login_success.php
session_start();
$_SESSION['myusername'] = $myusername;
$_SESSION['mypassword'] = $mypassword;
$_SESSION['level'] = $level;
// Redirect to appropriate page depending on user rights. Indicator 0 for user, 1 for admin.
if($_SESSION['level'] == 0)
{
//Admin Login
header("location:../php/admin.php");
}
if ($_SESSION['level']) == 1)
{
//Customer login
header("location:../login_success.php");
}
//flush the output buffer
ob_end_flush();
?>
示例2:
// Define $myusername and $mypassword from the form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
$sql="SELECT * FROM users WHERE username='$myusername' and password='$mypassword' and level== '0'";
if($count==1){
$_SESSION["username"] = $username;
$_SESSION["password"] = $password;
$info = mysql_fetch_array($result);
if ($info['level'] == 0) {
header("location:../php/admin.php");
}
else
header("location:../index.html");
}
}
else {
echo "Incorrect password";
}
?>
非常感谢任何帮助。
答案 0 :(得分:0)
两个代码都以相同的方式工作。第二个代码块看起来更清晰。
尽管存在其他问题,但您的查询有0个注入保护。现在,将PDO用于数据库连接是一种很好的做法。
http://au2.php.net/manual/en/class.pdo.php
此外,虽然标题很好,但您需要检查管理页面以确保它们是管理员。并确保哈希密码并与哈希进行比较。也不要在会话中存储密码。
答案 1 :(得分:0)
第二个看起来好得多公平,我在学校学到了一些旧的东西,所以它很可能不是最好的方法,但是如果你想做的话它确实有效从中获取任何东西。
(正如上面所说的那样 - 在数据库中使用它们之前一定要对这些值进行一些验证)
$username=$_POST['myusername'];
$password=$_POST['mypassword'];
#very simple checks
if(!preg_match("#^[A-Za-z0-9_ ]*$#",$username) or !preg_match("#^[A-Za-z0-9 _.,\-\@]*$#",$password)){
$fail="No matching records found";
}
else if(empty($username) or empty($password)){
$fail="All fields are required";
}
else{
#search for user
$sql="SELECT * FROM Users WHERE Username='".$username."' AND Password ='".$password."'";
$result = mysql_query($sql);
$num = mysql_numrows($result);
if($num==1){
#get values
while ($login = mysql_fetch_row($result, MYSQL_BOTH)) {
$_SESSION['username'] = $username;
$_SESSION['password'] = $password;
if($row['level'])==0){
$_SESSION['admin'] = True;
header("location:../php/admin.php");
}
else{
$_SESSION['admin'] = False;
header("location:../login_success.php");
}
}
}
else{
$fail = "No matching records found";
}
}