根据角色重定向到页面

时间:2014-10-25 23:03:46

标签: php mysql

我重定向依赖于角色的用户; 

username  |  password  |  accessLevel
xxxxxx       xxxxxx       admin
xxxxxx       xxxxxx       member
xxxxxx       xxxxxx       none

我有以下check.php页面; 

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword 
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword']; 

// To protect MySQL injection
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){

// Register $myusername, $mypassword and redirect to file "index.php"
$_SESSION['myusername']= $myusername; 
$_SESSION['mypassword']= $mypassword;
$role = mysql_fetch_array($result);

 if($role['accessLevel'] == "admin"){
        header("location:index.php");
            exit();
      }
      elseif($role['accessLevel'] == "member"){
  header("location:tasks.php");
        exit();
     }

else {
echo "Error: Username, Password or Access Level incorrect! Go Home, you're Drunk!!!";
}

    }
ob_end_flush();
?>

这会将正确的角色重定向到正确的页面,但如果他们在同一目录中键入页面,他们也可以访问我不希望他们访问的其他页面,我想限制"成员"到某些页面和" admin"对于所有页面,我需要在页面顶部区分两个用户角色?

我在所有页面上都有以下内容; 

    <?php
session_start();
////if(!session_is_registered(myusername)){
if (!isset($_SESSION['myusername'])) {
header("location:main_login.php");
}

我可以更改此设置以限制依赖于accessLevel的页面吗?

3 个答案:

答案 0 :(得分:0)

我通过在check_login.php页面上分配会话名称来修复它,并在我想要限制为admin的页面上检查了isset。

我试过这个以前的但有语法错误,我现在已经在咖啡和新鲜空气后修复了。

答案 1 :(得分:0)

非常简单,我几乎在我的所有项目中都这样做了, 你要做的是, ALTENATIVE 1。  将角色传递到会话AS USERNAME,成功登录后,然后在每个页面的顶部启动会话并检查权限。 例如:admin.php for admin 

<?php
 session_start();
 if($_SESSION['accessLevel'] !== "admin"){ header("location:Adminlogin.php"); }
?>
 <!-- go whith your page -->

与成员的task.php相同

<?php  session_start();

if($ role ['accessLevel']!==“member”){header(“location:Memberlogin.php”); }?&gt;     

ALTENATIVE 2。 为成员和管理员提供不同的会话ID,

示例:从您的代码部分... 

<?php 
  //fetch its role in DB then assign, like
  if($role['accessLevel'] == "admin"){

   $_SESSION['admin']=$role['username'];

    header("location:index.php");

  }
  elseif($role['accessLevel'] == "member"){
  $_SESSION['member']=$role['username'];
  header("location:tasks.php");

 }

然后在加载整页首先检查访问,就像我上面做的那样 如果是

$_SESSION['admin'] 


$_SESSION['member'].

答案 2 :(得分:0)

Your page ha s the following mistake, you have to fix them.

1. you pass password as clear text (md() is needed for encryption)

2.you store password into sessionvariable, what for? ( if user log in sucessfull we take his/her id into session for other use not checking  login always.

3.stripslashes,mysql_real_escape_string are not ecure enough for you to pass the password direct, Query by username then compar

Also there is NOTICE on your code.

1. try to avoid the use of * in sqlSting(query statments),
tey hinder perfomance.
select only field tha you have to use.

2. there is no need of using exit() where you place them, if...else enough

3.Instead of
$myusername = stripslashes($myusername);
$myusername= mysql_real_escape_string($myusername);

you can have 

$myusername = stripslashes(mysql_real_escape_string($myusername));
相关问题
最新问题