检查管理员是否与PHP

时间:2015-03-24 17:30:29

标签: php mysqli

我有一个数据库表,其中包含用户的用户名,密码和其他信息,以及是否和管理员。它当前设置为Char,其中A代表admin,U代表普通用户。

我有以下代码检查用户是否存在:

<?php
session_start(); // Starting Session
include_once('config.php');

$error=''; // Variable To Store Error Message
if (isset($_POST['submit'])) {
if (empty($_POST['user']) || empty($_POST['pass'])) {
$error = "Please complete both fields";
}
else
{
// Define $username and $password
$user=$_POST['user'];
$_SESSION['login_user']=$user;
$pass=md5($_POST['pass']);
// To protect MySQL injection for Security purpose
$user = stripslashes($user);
$pass = stripslashes($pass);
$user = mysqli_real_escape_string($mysqli, $user);
$pass = mysqli_real_escape_string($mysqli, $pass);
// SQL query to fetch information of registered users and finds user match.
$result = mysqli_query($mysqli, "SELECT * FROM users WHERE Username='$user' AND Password='$pass'");
if(mysqli_num_rows($result) == 1) {
header("Location: home.php");
} else {
$error = "Username or Password is invalid";
}
mysqli_close($mysqli); // Closing mysqlinection
}
}
?>

<!doctype html>
<html>
<head>
<link rel="stylesheet" type="text/css" href="style/style.css"> 
<script type="text/javascript" src="//code.jquery.com/jquery-2.1.3.min.js"></script>
<title>Login</title>

</head>
<body>

<div id = "logReg">
<span href="#" class="button" id="toggle-login">Log in</span> 
</div>

<div id="login">
  <div id="triangle"></div>
  <h1>Log in</h1>
  <form action = "" id = "logregform" method = "POST">
    <p id = "err"> <?php if(isset($error)) {echo $error;} ?> </p>
    <input id = "logtxt" type="text" placeholder="Username" name = "user" required/>
    <input type="password" placeholder="Password" name = "pass" required/>
    <input type="submit" value="Log in" name = "submit" />
    <br>
    <br>
    <p id ="bklg">Dont have an account? <a href="register.php">Sign up</a></p> 
  </form>
</div>

</html>

我如何检查Account_Type是否为A,如果是这样,将用户引导到另一个页面而不是普通的home.php页面?

编辑: 它工作正常,但管理员不会登录。 我给它测试用户名为456,密码为456,当我将它们输入两个文本框时没有任何反应,屏幕只是刷新并且我回到了登录页面:

以下新代码:

      <?php
session_start(); // Starting Session
include_once('config.php');

$error=''; // Variable To Store Error Message
if (isset($_POST['submit'])) {
if (empty($_POST['user']) || empty($_POST['pass'])) {
$error = "Please complete both fields";
}
else
{
// Define $username and $password
$user=$_POST['user'];
$pass=md5($_POST['pass']);
// To protect MySQL injection for Security purpose
$user = stripslashes($user);
$pass = stripslashes($pass);
$user = mysqli_real_escape_string($mysqli, $user);
$pass = mysqli_real_escape_string($mysqli, $pass);
// SQL query to fetch information of registered users and finds user match.
$result = mysqli_query($mysqli, "SELECT * FROM users WHERE Username='$user' AND Password='$pass'");
if ($row = mysqli_fetch_array($result)) {
    //set the session variables
    $_SESSION['Username'] = $row['Username'];
    $_SESSION['Account_Type'] = $row['Account_Type'];

    if ($row['Account_Type'] === 'A')  {
        header ("location: adminHome.php");
        exit;
    } else {
        header ("location: home.php");
        exit;
    }
} else {
    $error = "Username or Password is invalid";
}
mysqli_close($mysqli); // Closing mysqlinection
}
}
?>

<!doctype html>
<html>
<head>
<link rel="stylesheet" type="text/css" href="style/style.css"> 
<script type="text/javascript" src="//code.jquery.com/jquery-2.1.3.min.js"></script>
<title>Login</title>

</head>
<body>

<div id = "logReg">
<span href="#" class="button" id="toggle-login">Log in</span> 
</div>

<div id="login">
  <div id="triangle"></div>
  <h1>Log in</h1>
  <form action = "" id = "logregform" method = "POST">
    <p id = "err"> <?php if(isset($error)) {echo $error;} ?> </p>
    <input id = "logtxt" type="text" placeholder="Username" name = "user" required/>
    <input type="password" placeholder="Password" name = "pass" required/>
    <input type="submit" value="Log in" name = "submit" />
    <br>
    <br>
    <p id ="bklg">Dont have an account? <a href="register.php">Sign up</a></p> 
  </form>
</div>
<script>

$('#toggle-login').click(function(){
  $('#login').slideToggle('fast'); 
});
</script>
</html>

2 个答案:

答案 0 :(得分:0)

$row = mysqli_fetch_array($result);
if ($row['Account_Type'] === 'A')  {

} elseif ($row['Account_Type'] === 'U') {

} else {

}

答案 1 :(得分:0)

你这是错误的方式。要求用户进行身份验证的每个页面都应该在用户进行身份验证时以及在什么级别进行检查。这样做的方法是使用会话。

现在,您甚至在检查用户/密码组合是否正确之前设置会话变量,这样您就可以有效地登录任何输入用户名的人。

只有在成功登录后才需要将变量存储在会话中,如上所述,您需要从结果集中获取一行以获取用户信息:

// Personally I would use a prepared statement here
$result = mysqli_query($mysqli, "SELECT * FROM users WHERE Username='$user' AND Password='$pass'");
if ($row = mysqli_fetch_array($result)) {
    // Now you can set the session variables
    $_SESSION['Username'] = $row['Username'];
    $_SESSION['Account_Type'] = $row['Account_Type'];
    // Add any additional user information to the session that you might need later on

    if ($row['Account_Type'] === 'A')  {
        header ("location: adminHome.php");
        exit;
    } else {
        header ("location: home.php");
        exit;
    }
} else {
    $error = "Username or Password is invalid";
}

现在,在需要用户的每个页面中,您都可以:

session_start();
if (isset($_SESSION['Username']))
{
  // valid user, additional checks for user type?
}
else
{
  // not a valid / logged in user
}

注意:

相关问题
最新问题