是的,所以我有一个登录页面,需要能够在登录后为正确的用户加载正确的页面。管理员将拥有管理员页面,而用户将拥有其用户页面。 我有这个问题,无论是哪个用户,无论是管理员还是普通用户,谁登录,都会将他们引导到管理员页面。我需要帮助,因为它是一个学校项目,我将在周三安排一个中期审查演示。
到目前为止,这是我的编码:
的login.php
<!DOCTYPE html>
<html>
<head>
<meta charset="ISO-8859-1">
<title>Kinder App Login</title>
</head>
<style>
body {background-image: url("/KinderApp/images/Untitled-1.png"); background-repeat: no-repeat;}]
header {color:black; background-color:white;}
footer {color:green; background-color:lightgrey; }
h1 {font-family:Comic Sans, Comic Sans MS, cursive; font-size:50px; }
span {font-family:Comic Sans, Comic Sans MS, cursive; font-size: 15px; color:blue; }
div {font-family:Comic Sans, Comic Sans MS, cursive; font-size: 15px; color:red; }
table, th, td {border: 0px solid black; border-collapse: collapse; background: rgba(248,248,255,0.3);}
</style>
<script type="text/javascript">
function display_c(){
var refresh=1000; // Refresh rate in milli seconds
mytime=setTimeout('display_ct()',refresh)
}
function display_ct() {
var strcount
var x = new Date()
document.getElementById('ct').innerHTML = x;
tt=display_c();
}
</script>
<body onload=display_ct();>
<center><header>Kinder App</header></center>
<center><h1>Kinder App - Login</h1></center>
<center><table border="1" style="width:25%">
<tr>
<td><br></td>
<td><br></td>
</tr>
<tr>
<td><center>Username:</center></td>
<td><form name="myform" action="login_field.php" method="POST">
<center><input type=text name="user"/></center></td>
</tr>
<tr>
<td><center>Password:</center></td>
<td><center><input type=password name="pass"/></center></td>
</tr>
<tr>
<td>
<center><input type="submit" value="Login"></center></form>
</td>
<td>
<center><form action="Register.php" method="POST">
<center><input type="submit" value="Register"></center></form></center>
</td>
</tr>
<tr>
<td><br></td>
<td><br></td>
</tr>
</table></center>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<p align="right"><b><span id='ct' ></span></b></p>
<footer><center>Copyright © All Rights Reserved</center></footer>
</body>
</html>
&#13;
login_field.php
<!DOCTYPE html>
<html>
<head>
<meta charset="ISO-8859-1">
</head>
<style>
div {font-family:Comic Sans, Comic Sans MS, cursive; font-size: 20px; color:red; }
</style>
<?php
define ("DB_USER", "root");
define ("DB_PASSWORD", "");
define ("DB_HOST", "localhost");
define ("DB_NAME", "kp2admin");
$dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
$userName=$_POST["user"];
$password=$_POST["pass"];
$sql = "SELECT `Username`, `Password`, Role` FROM `users` WHERE `Password` LIKE '".$password."' ";
$result=mysqli_query($dbc, $sql);
if($result != $userName && $password && "Administrator"){
header('Location: http://localhost:81/KinderApp/KinderAppAdmin.html');
}
else if($result != $userName && $password && "User"){
header('Location: http://localhost:81/KinderApp/KinderAppUser.html');
}
else{
echo "<center><div><b>ACCESS DENIED!!!</b></div></center><br><center>Incorrect Login Credentials</center>";
}
mysqli_close($dbc);
?>
</body>
</html>
&#13;
修改
更新。我现在正在使用会话,但我现在遇到的问题是登录根本不起作用。每次我尝试登录时,我都会直接进入“拒绝访问”页面。
已编辑login_field.php
<!DOCTYPE html>
<html>
<head>
<meta charset="ISO-8859-1">
</head>
<style>
body {background-size: 14400px 900px;}
div {font-family:Comic Sans, Comic Sans MS, cursive; font-size: 70px; color:red; }
p {vertical-align:center; horizontal-align:center;}
</style>
<?php
define ("DB_USER", "root");
define ("DB_PASSWORD", "");
define ("DB_HOST", "localhost");
define ("DB_NAME", "kp2admin");
$dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
$userName=$_POST["user"];
$password=$_POST["pass"];
$password = md5($password);
$isAdmin = mysqli_query($dbc, "SELECT Username FROM users WHERE Username='".$userName."' AND Password='".$password."' AND Role = 'Administrator'") or die(mysqli_error());
$loginAdmin = mysqli_num_rows($isAdmin);
$isUser = mysqli_query($dbc, "SELECT Username FROM users WHERE Username='".$userName."' AND Password='".$password."' AND Role = 'User'" ) or die(mysqli_error());
$loginUser = mysqli_num_rows($isUser);
$login=0;
if($loginAdmin == 1){
session_start();
$_SESSION['Username'] = $userName;
header("Location: http://localhost:81/KinderApp/KinderAppAdmin.html");
}
else if($loginUser == 1){
session_start();
$_SESSION['Username'] = $userName;
header("Location: http://localhost:81/KinderApp/KinderAppUser.html");
}
else if($login == 0){
echo "<center><p><div><b>ACCESS DENIED!!!</b></div></center><br><center>Incorrect Login Credentials</p></center>";
echo "<form action='Login.php' method='POST'><center><input type='submit' value='Back'></center></form>";
}
mysqli_close($dbc);
?>
</body>
</html>
&#13;
答案 0 :(得分:0)
<?php
# Define connection (PDO//MYSQL)
define('DB_TYPE', 'mysql');
define('DB_HOST', 'localhost');
define('DB_NAME', 'db_name');
define('DB_USER', 'user');
define('DB_PASS', 'pass');
$db = new PDO(DB_TYPE . ':host=' . DB_HOST . ';dbname=' . DB_NAME, DB_USER, DB_PASS, $options);
# Set up variables for use. Look up bcrypt as plaintext passwords = BIG NO NO
$userName=$_POST["user"];
$password=$_POST["pass"];
# Set up SQL query. You weren't using `username` in your where clause
# Binding variables ($query->bindValue) means the query treats them as a string
# and *shouldn't* execute any malicious SQL code supplied by a user
$sql = "SELECT `Username`, `Password`, `Role` FROM `users` WHERE `Username` = :user AND `Password` = :pass";
$query = $db->prepare($sql);
$query->bindValue(':user', $userName);
$query->bindValue(':password', $password);
$query->execute();
# Checks if a valid result is returned. This is basic - there are better ways to do it
# but this is a good start
if ($result = $query->fetch(PDO::FETCH_OBJ)) {
# Object attributes are accessed as $result->field_name, this checks if it's "administrator"
if ($result->Role == "Administrator") {
header('Location: http://localhost:81/KinderApp/KinderAppAdmin.php');
} elseif ($result->Role == "User") {
header('Location: http://localhost:81/KinderApp/KinderAppUser.php');
}
}
# Behaviour for failed login
else {
echo "<center><div><b>ACCESS DENIED!!!</b></div></center><br><center>Incorrect Login Credentials</center>";
}
?>
PDO将阻止(大多数)SQL注入与绑定变量一起使用。这种方式更加安全。此外,您还没有加密密码(为此搜索bcrypt)。
您should also be using sessions to set user data并使用此功能对受限制区域进行身份验证,因为用户只需直接访问您的其他某个网页,而无需通过登录过程。
答案 1 :(得分:-5)
$sql = "SELECT `Username`, `Password`, Role` FROM `users` WHERE `Password` LIKE '".$password."' ";
请尝试以下
$sql = "SELECT `Username`, `Password`, Role` FROM `users` WHERE `Password` ='".$password."' AND Username='".$userName."' ";
$result=mysqli_query($dbc, $sql);
$data=mysqli_fetch_array($result,MYSQLI_ASSOC);
if($data['Role'] == "Administrator"){
header('Location: http://localhost:81/KinderApp/KinderAppAdmin.html');
}
else if($data['Role'] == "User"){
header('Location: http://localhost:81/KinderApp/KinderAppUser.html');
}