无论如何,我是否可以通过此流程代码添加用户访问级别?我有我的注册码,这将允许普通用户注册。我将仅通过PHPMyAdmin设置管理员。如何使用此流程页面定义管理员用户访问级别?
CODE:login_process.php
<?php
error_reporting(E_ALL);
ini_set("display_errors", 1);
include_once 'includes/db_connect.php';
include_once 'includes/functions.php';
sec_session_start(); // Our custom secure way of starting a PHP session.
if (isset($_POST['email'], $_POST['p'])) {
$email = $_POST['email'];
$password = $_POST['p']; // The hashed password.
if (login($email, $password, $mysqli) == true) {
// Login success
header('Location: ./protected_page.php');
} else {
// Login failed
header('Location: ./index.php?error=1');
}
}
else {
// The correct POST variables were not sent to this page.
echo 'Invalid Request';
}
?>
代码:登录功能
function login($email, $password, $mysqli) {
// Using prepared statements means that SQL injection is not possible.
if ($stmt = $mysqli->prepare("SELECT id, username, password, salt
FROM members
WHERE email = ?
LIMIT 1")) {
$stmt->bind_param('s', $email); // Bind "$email" to parameter.
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
// get variables from result.
$stmt->bind_result($user_id, $username, $db_password, $salt);
$stmt->fetch();
// hash the password with the unique salt.
$password = hash('sha512', $password . $salt);
if ($stmt->num_rows == 1) {
// If the user exists we check if the account is locked
// from too many login attempts
if (checkbrute($user_id, $mysqli) == true) {
// Account is locked
// Send an email to user saying their account is locked
return false;
} else {
// Check if the password in the database matches
// the password the user submitted.
if ($db_password == $password) {
// Password is correct!
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
// XSS protection as we might print this value
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
$_SESSION['user_id'] = $user_id;
// XSS protection as we might print this value
$username = preg_replace("/[^a-zA-Z0-9_\-]+/",
"",
$username);
$_SESSION['username'] = $username;
$_SESSION['login_string'] = hash('sha512',
$password . $user_browser);
// Login successful.
return true;
} else {
// Password is not correct
// We record this attempt in the database
$now = time();
$mysqli->query("INSERT INTO login_attempts(user_id, time)
VALUES ('$user_id', '$now')");
return false;
}
}
} else {
// No user exists.
return false;
}
}
}
示例代码:
if (login($username="admin_username") {
// Login admin success
header('Location: ./protected_page.php');
} else (login($email, $password, $mysqli) == true){
// Login success
header('Location: ./user.php');
}
} else {
// Login failed
header('Location: ./index.php?error=1');
}
答案 0 :(得分:0)
嗯,这取决于您在数据库中存储数据的方式,但是如果您的用户表包含列:user_name,password,user_type。
当您检查登录功能上的user_name和密码是否匹配时,您可以执行以下操作:
SELECT user_name, password, user_type FROM users WHERE user_name = '".$email."' AND password = '".$password"'";
然后检查返回的行数,如果返回0,则凭据不匹配,您不会记录用户。如果匹配,则可以使用{{1}重定向你想要的地方。
如果您可以发布您的登录功能,我可以向您解释如何在代码中显示更改。
编辑:在发布登录功能后添加固定功能。
登录验证:
user_level
登录功能:
include_once 'includes/db_connect.php';
include_once 'includes/functions.php';
sec_session_start(); // Our custom secure way of starting a PHP session.
if (isset($_POST['email'], $_POST['p'])) {
$email = $_POST['email'];
$password = $_POST['p']; // The hashed password.
if (login($email, $password, $mysqli) == true) {
// Login success
//Redirecting to admin protected page for instance
if( isset($_session['user_type']) and $_session['user_type'] == 'admin' )
header('Location: ./protected_page.php');
else {
//redirect to normal logged user
header('Location: ./normal_user_logged.php');
}
} else {
// Login failed
header('Location: ./index.php?error=1');
}
}
else {
// The correct POST variables were not sent to this page.
echo 'Invalid Request';
}
?>