好吧,在我用于练习的小型站点上,我创建了一些页面,这些页面用于保存数据库中来自表的数据,而且我拥有普通用户和管理员。我通过sql创建了admin,并且可以通过该页面上的注册表单创建普通用户。我想做的是,正如我所说的,我有一个页面,用于保存表中的数据,因此我想使用户无法看到该页面,而管理员可以看到该页面。我只是想做那些限制。但是,我不知道如何从代码开始,我将在此处发布我认为您需要帮助的代码,因此,如果您需要更多帮助,我在这里!
login.php:`
<?php include('functions.php') ?>
<!DOCTYPE html>
<html>
<head>
<title>Prijavi se</title>
<link rel="stylesheet" type="text/css" href="style.css">
</head>
<body>
<div class="header">
<h2>Prijavi se</h2>
</div>
<form method="post" action="login.php">
<?php echo display_error(); ?>
<div class="input-group">
<label>Korisnicko ime</label>
<input type="text" name="username" >
</div>
<div class="input-group">
<label>Lozinka</label>
<input type="password" name="password">
</div>
<div class="input-group">
<button type="submit" class="btn" name="login_btn">Prijavi se</button>
</div>
<p>
Jos uvek nemate nalog? <a href="register.php">Registruj se</a>
</p>
</form>
`
functions.php:`
$db = mysqli_connect('localhost', 'root', '', 'it210projekat');
$username = "";
$email = "";
$errors = array();
if (isset($_POST['register_btn'])) {
register();
}
if (isset($_POST['login_btn'])) {
login();
}
if (isset($_GET['logout'])) {
session_destroy();
unset($_SESSION['user']);
header("location: ../login.php");
}
function register(){
global $db, $errors;
$username = e($_POST['username']);
$email = e($_POST['email']);
$password_1 = e($_POST['password_1']);
$password_2 = e($_POST['password_2']);
if (empty($username)) {
array_push($errors, "Unesite ime");
}
if (empty($email)) {
array_push($errors, "Unesite email");
}
if (empty($password_1)) {
array_push($errors, "Unesite lozinku");
}
if ($password_1 != $password_2) {
array_push($errors, "Lozinke se ne poklapaju");
}
if (count($errors) == 0) {
$password = md5($password_1);
if (isset($_POST['user_type'])) {
$user_type = e($_POST['user_type']);
$query = "INSERT INTO users (username, email, user_type, password)
VALUES('$username', '$email', '$user_type', '$password')";
mysqli_query($db, $query);
$_SESSION['success'] = "Uspesno ste napravili nalog!!";
header('location: login.php');
}else{
$query = "INSERT INTO users (username, email, user_type, password)
VALUES('$username', '$email', 'user', '$password')";
mysqli_query($db, $query);
$logged_in_user_id = mysqli_insert_id($db);
$_SESSION['user'] = getUserById($logged_in_user_id);
$_SESSION['success'] = "Uspesno ste se prijavili";
header('location: login.php');
}
}
}
function getUserById($id){
global $db;
$query = "SELECT * FROM users WHERE id=" . $id;
$result = mysqli_query($db, $query);
$user = mysqli_fetch_assoc($result);
return $user;
}
function login(){
global $db, $username, $errors;
$username = e($_POST['username']);
$password = e($_POST['password']);
if (empty($username)) {
array_push($errors, "Username is required");
}
if (empty($password)) {
array_push($errors, "Password is required");
}
if (count($errors) == 0) {
$password = md5($password);
$query = "SELECT * FROM users WHERE username='$username' AND password='$password' LIMIT 1";
$results = mysqli_query($db, $query);
if (mysqli_num_rows($results) == 1) {
$logged_in_user = mysqli_fetch_assoc($results);
if ($logged_in_user['user_type'] == 'admin') {
$_SESSION['user'] = $logged_in_user;
$_SESSION['success'] = "Uspesno ste se prijavili";
header('location: pocetna.php');
}else{
$_SESSION['user'] = $logged_in_user;
$_SESSION['success'] = "Uspesno ste se prijavili";
header('location: pocetna.php');
}
}else {
array_push($errors, "Pogresno korisnicko ime ili lozinka");
}
}
}
function isLoggedIn()
{
if (isset($_SESSION['user'])) {
return true;
}else{
return false;
}
}
function isAdmin()
{
if (isset($_SESSION['user']) && $_SESSION['user']['user_type'] == 'admin' ) {
return true;
}else{
return false;
}
}
function e($val){
global $db;
return mysqli_real_escape_string($db, trim($val));
}
function display_error() {
global $errors;
if (count($errors) > 0){
echo '<div class="error">';
foreach ($errors as $error){
echo $error .'<br>';
}
echo '</div>';
}
}
?>`
我要在此页面上设置普通用户的限制:
<?php if (isset($_SESSION['success'])) : ?>
<div class="error success" >
<h3>
<?php
echo $_SESSION['success'];
unset($_SESSION['success']);
?>
</h3>
</div>
<?php endif ?>
<div class="profile_info">
<div>
<?php if (isset($_SESSION['user'])) : ?>
<strong><?php echo $_SESSION['user']['username']; ?></strong>
<?php endif ?>
</div>
</div>
</div>
答案 0 :(得分:0)
在功能文件中,您正在为用户的数据库行中的数据设置$_SESSION['user'];这意味着您只需要检查$_SESSION['user']['user_type']是否为管理员。
因此,很简单,在您只希望管理员看到的页面上(在您的functions.php调用的顶部,下方),请执行以下操作:
if($_SESSION['user']['user_type'] != 'Admin') {
//could redirect page here
die('This page is not available to non-administrators.');
}
我在您的登录/注册代码中发现了其他两个问题。
password_hash()和password_verify() PHP函数。