通过单一登录页面登录多个用户类型

时间:2017-08-17 05:47:50

标签: php mysqli

我正在研究php和mysql代码,通过一个登录页面根据用户的角色访问不同的页面。

它对“管理员”的工作有益。页面..

但无法使用'普通类型'

登录

小帮助非常感谢,谢谢

这是我的代码

<?php

session_start();

include 'dbcon.php';

 if($_SERVER["REQUEST_METHOD"] == "POST") {

  $username = $_POST['username'];
  $password = $_POST['password'];

 $query = "SELECT * FROM wp_users WHERE user_login = '$username' AND user_pass = '$password'";

  $result = mysqli_query($con,$query) ; 

    $row = mysqli_fetch_assoc($result);

      $count=mysqli_num_rows($result)  ;

         if ($count == 1) {   

            if($row['user_type'] == 'admin')
           {
             header('Location: user_registration.php');
              $_SESSION['ID'] = $row['ID'];
               $_SESSION['user_login'] = $row['user_login'];
                $_SESSION['password'] = $row['user_pass'];
           }

           elseif($row['user_type'] = 'normal')
           {
             header('Location: index.php');
           }

           else
           {
            echo "WRONG USERNAME OR PASSWORD";
           }
        }

   }
?>

3 个答案:

答案 0 :(得分:0)

在条件之后移动会话代码,然后重定向。也有任何特定的理由在会话中存储密码。 ==失踪

使用适当的过滤器进行输入。 

           if ($count == 1) { 
               if(!empty($row['user_type'])) {  
               $_SESSION['ID'] = $row['ID'];
               $_SESSION['user_login'] = $row['user_login'];
               //$_SESSION['password'] = $row['user_pass'];
               }
            if($row['user_type'] == 'admin')
           {
             header('Location: user_registration.php');

           }

           elseif($row['user_type'] == 'normal')
           {
             header('Location: index.php');
           }

           else
           {
            echo "WRONG USERNAME OR PASSWORD";
           }
        }

答案 1 :(得分:0)

normal用户的逻辑测试使用单个=符号来设置值而不是测试是否相等 - 它必须是==

另外,我认为WRONG USERNAME OR PASSWORD处于错误的级别 - 它需要是记录计数的else 

<?php

    session_start();

    include 'dbcon.php';

    if($_SERVER["REQUEST_METHOD"] == "POST") {

        $username = $_POST['username'];
        $password = $_POST['password'];

        $query = "SELECT * FROM wp_users WHERE user_login = '$username' AND user_pass = '$password'";
        $result = mysqli_query($con,$query);
        $row = mysqli_fetch_assoc($result);
        $count=mysqli_num_rows($result);
        if ($count == 1) {
            if($row['user_type'] == 'admin') {
                header('Location: user_registration.php');
                $_SESSION['ID'] = $row['ID'];
                $_SESSION['user_login'] = $row['user_login'];
                $_SESSION['password'] = $row['user_pass'];
            /* require `==` here */
            } elseif( $row['user_type'] == 'normal' ) {
                header('Location: index.php');
            } else { 
                die('unknown/unhandled user level');
            }
        /* changed location of this by one level */
        } else {
            echo "WRONG USERNAME OR PASSWORD";
        }
    }
?>

答案 2 :(得分:0)

这是登录功能。

它假设密码来自用sha512加密的用户(参见https://github.com/emn178/js-sha512等js libs) - 它对非加密连接很有用。

它使用salt,并受到brute forceCSRFXSSSQL-injection的一些保护。

static public function db_login($email, $p)
{
    if ($stmt = Site::$db->prepare(
        "SELECT id, password, salt, name
         FROM user
         JOIN contact ON contact_id = id
         WHERE email = ?
         LIMIT 1")
    ) {
        $stmt->bind_param('s', $email);
        $stmt->execute();
        $stmt->store_result();
        $stmt->bind_result($user_id, $db_password, $salt, $name);
        $stmt->fetch();

        // hash the password with the unique salt
        $p = hash('sha512', $p . $salt);
        if ($stmt->num_rows == 1) {
            // If the user exists we check if the account is locked
            // from too many login attempts
            if (self::checkBrute($user_id) == true) {
                // Account is locked
                $res['code'] = 0;
                $res['reason'] = 'trylimit';
                $res['message'] = 'You try too many times. Come back on 30 minutes';
                return $res;
            } else {
                // Check if the password in the database matches
                // the password the user submitted.
                if ($db_password == $p) {
                    // Password is correct!
                    // Get the user-agent string of the user.

                    // CSRF
                    $user_browser = filter_input(INPUT_SERVER, 'HTTP_USER_AGENT', FILTER_SANITIZE_SPECIAL_CHARS);

                    // XSS protection as we might print this value
                    $user_id = preg_replace("/[^0-9]+/", "", $user_id);

                    Login::sec_session_start();
                    $_SESSION['user_id'] = $user_id;
                    $_SESSION['email'] = htmlspecialchars($email);
                    $_SESSION['name'] = htmlspecialchars($name);
                    $_SESSION['token'] = md5(uniqid(rand(), TRUE));
                    $_SESSION['login_string'] = hash('sha512', $p . $user_browser);
                    session_write_close();

                    // Login successful
                    $res['isLogined'] = 1;
                    $res['code'] = 1;
                    $res['name'] = $name;
                    $res['id'] = $user_id;
                    return $res;
                } else {
                    // Password is not correct
                    // We record this attempt in the database
                    $now = time();
                    Site::$db->query("INSERT INTO login_attempts(user_id, time) VALUES ('$user_id', '$now')");
                    $res['code'] = 0;
                    $res['reason'] = 'pass';
                    $res['message'] = 'Wrong password';
                    return $res;
                }
            }
        } else {
            // No user exists.
            $res['code'] = 0;
            $res['reason'] = 'user';
            $res['message'] = 'We have no such email';
            return $res;
        }
    }
    $res['code'] = 0;
    $res['reason'] = 'SQL-error';
    return $res;
}
相关问题
最新问题