通过会话限制对管理页面的访问

时间:2017-01-03 22:02:40

标签: php mysql session mysqli

我一直试图阻止使用PHP访问管理页面。 PHP在下面,但我无法弄清楚我需要使用哪种语句组合才能被选中。

当我转储会话时,它总是为空但电子邮件会话就在那里。这是一个需要电子邮件和密码的简单登录。我基本上希望它也能从DB获得他们的许可。

<?php
session_start();
include ('../config/config.php');

 /* basic field validation */
$email = trim($_POST["email"]);
$password = trim ($_POST["password"]);

/* check if details are empty, redirect if they are */
if (empty($email) or empty($password)) {
    $_SESSION["message"] = "You must enter your email and password";
    //Redirect to index
    header("Location: ../index.php");
    exit;
}
/* sanitise the input */
$email = strip_tags($email);
$password = strip_tags($password);

 /* SQL user selection query, with error handling for the SQL */
$query = "SELECT email, permission FROM users WHERE email = '$email' AND password = '$password'";
$result = mysqli_query($mysqli,$query) or exit("Error in query: $query. " . mysqli_error());

/* on query success, set sessions for email and userid */
if ($row = mysqli_fetch_assoc($result)) {
    $_SESSION["authemail"] = $email;
    $_SESSION["permission"] = $permission;
    /* redirect the user to the secured page */
    header("Location: ../loggedin.php");
    } else {
    /* display error if login was not successful and redirect to index */
    $_SESSION["message"] = "Could not log in as $email - $query";
    header("index.php");
    }
    ?>

如果没有相关内容,请随意编辑一些文本。

0 个答案:

没有答案