session_start();
function test_input($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
if(isset($_POST['Submit'])){
$username= test_input($_POST['Username']);
$password= test_input($_POST['Password']);
$IDNumber = test_input($_POST['IDNumber']);
if ($username&&$password){
$con=mysqli_connect("localhost","root","","enrollmentsystem");
$query=mysqli_query($con,"SELECT * FROM admin WHERE Username='$username'");
$numrows=mysqli_num_rows($query);
if($numrows !=0){
while ($row=mysqli_fetch_assoc($query)){
$dbusername=$row['Username'];
$dbpassword=$row['Password'];
}
if($username==$dbusername&&$password==$dbpassword){
$_SESSION['Username']=$dbusername;
header("Location: SecondForm.php");
exit;
}else{
header("Location: IncorrectPassword.html");
}
}else{
header("Location: IncorrectUsername.html");
}
mysqli_close($con);
}elseif($IDNumber&&$password){
$con=mysqli_connect("localhost","root","","enrollmentsystem");
$query=mysqli_query($con,"SELECT * FROM studentpersonalinformation WHERE IDNumber=$IDNumber");
$numrows=mysqli_num_rows($query);
if($numrows !=0){
while ($row=mysqli_fetch_assoc($query)){
$dbidnumber=$row['IDNumber'];
$dbpassword=$row['Password'];
}
if($IDNumber==$dbidnumber&&$password==$dbpassword){
$_SESSION['IDNumber']=$dbidnumber;
header("Location: LoginAndView.php");
exit;
}else{
header("Location: IncorrectPassword.html");
}
}else{
header("Location: IncorrectUsername.html");
}
mysqli_close($con);
}
}
答案 0 :(得分:1)
尝试将脚本分解为可重复使用的部分,如下所示:
<强> /functions/myfunctions.php 强>
<?php
function sanitize($data = false)
{
return htmlspecialchars(stripslashes(trim($data)));
}
// Create a simle query function
function fetchUser($con,$sql)
{
$query = mysqli_query($con,$sql);
if(mysqli_num_rows($query) == 1) {
$row = mysqli_fetch_assoc($query);
return $row['Password'];
}
return false;
}
// Simple query for admin user
function is_admin($con,$username)
{
return fetchUser($con,"SELECT * FROM `admin` WHERE `Username` = '{$username}'");
}
// Simple query for student user
function is_student($con,$username)
{
return fetchUser($con,"SELECT * FROM `studentpersonalinformation` WHERE `IDNumber` = {$username}");
}
// Simple algorithme to return a user role and db password
function get_user_role($con,$settings = false)
{
$isAdmin = false;
$isStudent = false;
$username = (!empty($settings['username']))? $settings['username'] : false;
$idNumber = (!empty($settings['idnumber']))? $settings['idnumber'] : false;
if(!empty($username))
$isAdmin = is_admin($con, $username);
else
$isStudent = is_student($con, $idNumber);
if($isAdmin) {
$user['role'] = 'a';
$user['password'] = $isAdmin;
}
elseif($isStudent) {
$user['role'] = 's';
$user['password'] = $isStudent;
}
else {
$user['role'] = false;
$user['password'] = false;
}
return (object) $user;
}
login.php(或任何命名的页面)
<?php
session_start();
if(isset($_POST['Submit'])) {
// Include the functions above
include_once(__DIR__."/functions/myfunctions.php");
// Preset for redirect
$header = 'IncorrectPassword.html';
// Sanitize credentials
$username = (!empty($_POST['Username']))? sanitize($_POST['Username']) : false;
$password = (!empty($_POST['Password']))? sanitize($_POST['Password']) : false;
$IDNumber = (!empty($_POST['IDNumber']) && is_numeric($_POST['IDNumber']))? $_POST['IDNumber'] : false;
// Assign connection
$con = mysqli_connect("localhost","root","","enrollmentsystem");
// Try and get user role + password
$user = get_user_role($con,array("username"=>$username,"idnumber"=>$IDNumber));
// If there is a user role
if(!empty($user->role)) {
// If db password matches POST password
// NOTE: You should not be storing plaintext passwords, look into using
// password_hash()/password_verify()
if($user->password == $password) {
// If admin asign username
// Make IDNumber false, then you don't have to check later in your app if it's set.
// Same with username in the other role
if($user->role == 'a') {
$_SESSION['Username'] = $username;
$_SESSION['IDNumber'] = false;
$header = 'SecondForm.php';
}
else {
$_SESSION['Username'] = false;
$_SESSION['IDNumber'] = $IDNumber;
$header = 'LoginAndView.php';
}
}
}
// Close before redirect
// (mysqli will close by default unless you persist the connection manually)
mysqli_close($con);
// Redirect
header("Location: {$header}");
exit;
}