Question

是的，所以我有一个登录页面，需要能够在登录后为正确的用户加载正确的页面。管理员将拥有管理员页面，而用户将拥有其用户页面。我有这个问题，无论是哪个用户，无论是管理员还是普通用户，谁登录，都会将他们引导到管理员页面。我需要帮助，因为它是一个学校项目，我将在周三安排一个中期审查演示。

到目前为止，这是我的编码：

的login.php

＆＃13;

<!DOCTYPE html>
<html>
<head>
<meta charset="ISO-8859-1">
<title>Kinder App Login</title>
</head>
<style>
  body {background-image: url("/KinderApp/images/Untitled-1.png"); background-repeat: no-repeat;}]
  header   {color:black; background-color:white;}
  footer    {color:green; background-color:lightgrey; }
  h1 {font-family:Comic Sans, Comic Sans MS, cursive; font-size:50px; }
  span {font-family:Comic Sans, Comic Sans MS, cursive; font-size: 15px; color:blue;  }
  div {font-family:Comic Sans, Comic Sans MS, cursive; font-size: 15px; color:red;  }
   table, th, td {border: 0px solid black; border-collapse: collapse; background: rgba(248,248,255,0.3);}
</style>
<script type="text/javascript"> 
function display_c(){
var refresh=1000; // Refresh rate in milli seconds
mytime=setTimeout('display_ct()',refresh)
}

function display_ct() {
var strcount
var x = new Date()
document.getElementById('ct').innerHTML = x;


tt=display_c();
 }
</script>
<body onload=display_ct();>
<center><header>Kinder App</header></center>
<center><h1>Kinder App - Login</h1></center>

<center><table border="1" style="width:25%">
	 <tr>
	 	<td><br></td>
	 	<td><br></td>
	 </tr>
	 <tr>
    	<td><center>Username:</center></td>
		<td><form name="myform" action="login_field.php" method="POST">
		<center><input type=text name="user"/></center></td>
	 </tr>
	 <tr>
    	<td><center>Password:</center></td>
		<td><center><input type=password name="pass"/></center></td>
	</tr>
	<tr>
    	<td>
			<center><input type="submit" value="Login"></center></form>
		</td>
		<td>
			<center><form action="Register.php" method="POST">
			<center><input type="submit" value="Register"></center></form></center>
		</td>
	</tr>
	 <tr>
	 	<td><br></td>
	 	<td><br></td>
	 </tr>
</table></center>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<p align="right"><b><span id='ct' ></span></b></p>
<footer><center>Copyright © All Rights Reserved</center></footer>
</body>
</html>

＆＃13;

login_field.php

＆＃13;

<!DOCTYPE html>
<html>
<head>
<meta charset="ISO-8859-1">

</head>
<style>
 
  div {font-family:Comic Sans, Comic Sans MS, cursive; font-size: 20px; color:red;  }

</style>

<?php
define ("DB_USER", "root"); 
define ("DB_PASSWORD", "");
define ("DB_HOST", "localhost");
define ("DB_NAME", "kp2admin");

$dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);

$userName=$_POST["user"];
$password=$_POST["pass"];

$sql = "SELECT  `Username`, `Password`, Role` FROM `users` WHERE `Password` LIKE '".$password."' ";
$result=mysqli_query($dbc, $sql);

	if($result != $userName && $password && "Administrator"){
	header('Location: http://localhost:81/KinderApp/KinderAppAdmin.html');
	}		
	else if($result != $userName && $password && "User"){
		header('Location: http://localhost:81/KinderApp/KinderAppUser.html');
	}
else{
	echo "<center><div><b>ACCESS DENIED!!!</b></div></center><br><center>Incorrect Login Credentials</center>";
}
mysqli_close($dbc);


?>

</body>
</html>

＆＃13;

修改

更新。我现在正在使用会话，但我现在遇到的问题是登录根本不起作用。每次我尝试登录时，我都会直接进入“拒绝访问”页面。

已编辑login_field.php

＆＃13;

<!DOCTYPE html>
<html>
<head>
<meta charset="ISO-8859-1">

</head>
<style>

  body {background-size: 14400px 900px;}
  div {font-family:Comic Sans, Comic Sans MS, cursive; font-size: 70px; color:red;  }
  p {vertical-align:center; horizontal-align:center;}

</style>

<?php
define ("DB_USER", "root"); 
define ("DB_PASSWORD", "");
define ("DB_HOST", "localhost");
define ("DB_NAME", "kp2admin");

$dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);

$userName=$_POST["user"];
$password=$_POST["pass"];

        
$password = md5($password);
        
$isAdmin = mysqli_query($dbc, "SELECT Username FROM users WHERE Username='".$userName."' AND Password='".$password."' AND Role = 'Administrator'") or die(mysqli_error());        
$loginAdmin = mysqli_num_rows($isAdmin);

$isUser = mysqli_query($dbc, "SELECT Username FROM users WHERE Username='".$userName."' AND Password='".$password."' AND Role = 'User'" ) or die(mysqli_error());
$loginUser = mysqli_num_rows($isUser);

$login=0;

        if($loginAdmin == 1){
                session_start();
                $_SESSION['Username'] = $userName;
                header("Location: http://localhost:81/KinderApp/KinderAppAdmin.html");
        }
        
        else if($loginUser == 1){
                session_start();
                $_SESSION['Username'] = $userName;
                header("Location: http://localhost:81/KinderApp/KinderAppUser.html");
        }
        
        else if($login == 0){
               echo "<center><p><div><b>ACCESS DENIED!!!</b></div></center><br><center>Incorrect Login Credentials</p></center>";
			   echo "<form action='Login.php' method='POST'><center><input type='submit' value='Back'></center></form>"; 
        }


mysqli_close($dbc);


?>

</body>
</html>

＆＃13;

Answer 1

<?php
# Define connection (PDO//MYSQL)
define('DB_TYPE', 'mysql');
define('DB_HOST', 'localhost');
define('DB_NAME', 'db_name');
define('DB_USER', 'user');
define('DB_PASS', 'pass');

$db = new PDO(DB_TYPE . ':host=' . DB_HOST . ';dbname=' . DB_NAME, DB_USER, DB_PASS, $options);

# Set up variables for use. Look up bcrypt as plaintext passwords = BIG NO NO
$userName=$_POST["user"];
$password=$_POST["pass"];

# Set up SQL query. You weren't using `username` in your where clause
# Binding variables ($query->bindValue) means the query treats them as a string
# and *shouldn't* execute any malicious SQL code supplied by a user
$sql = "SELECT  `Username`, `Password`, `Role` FROM `users` WHERE `Username` = :user AND `Password` = :pass";
$query = $db->prepare($sql);
$query->bindValue(':user', $userName);
$query->bindValue(':password', $password);
$query->execute();

# Checks if a valid result is returned. This is basic - there are better ways to do it
# but this is a good start
if ($result = $query->fetch(PDO::FETCH_OBJ)) {
    # Object attributes are accessed as $result->field_name, this checks if it's "administrator"
    if ($result->Role == "Administrator") {
    header('Location: http://localhost:81/KinderApp/KinderAppAdmin.php');
    } elseif ($result->Role == "User") {
    header('Location: http://localhost:81/KinderApp/KinderAppUser.php');
    }
}
# Behaviour for failed login
else {
echo "<center><div><b>ACCESS DENIED!!!</b></div></center><br><center>Incorrect Login Credentials</center>";
}


?>

PDO将阻止（大多数）SQL注入与绑定变量一起使用。这种方式更加安全。此外，您还没有加密密码（为此搜索bcrypt）。

您should also be using sessions to set user data并使用此功能对受限制区域进行身份验证，因为用户只需直接访问您的其他某个网页，而无需通过登录过程。

Answer 2

$sql = "SELECT  `Username`, `Password`, Role` FROM `users` WHERE `Password` LIKE '".$password."' ";

请尝试以下

$sql = "SELECT  `Username`, `Password`, Role` FROM `users` WHERE `Password` ='".$password."' AND Username='".$userName."' ";
$result=mysqli_query($dbc, $sql);
$data=mysqli_fetch_array($result,MYSQLI_ASSOC);
if($data['Role'] ==  "Administrator"){
header('Location: http://localhost:81/KinderApp/KinderAppAdmin.html');
}       
else if($data['Role'] ==  "User"){
    header('Location: http://localhost:81/KinderApp/KinderAppUser.html');
}

PHP登录页面无法正常工作

2 个答案: