早上好
我一直在做这个电子商务网站,其中一个要求是实现不同的SESSION,只授予授权用户访问安全区域的权限,例如,只有管理员才能访问管理区域.
虽然身份验证有效,但现阶段似乎只实现了用户SESSION,这是authentication.php页面的代码:
<?php
//start session management
session_start();
//connect to the database
require('connection.php');
//retrieve the functions
require('../model/functions_members.php');
//retrieve the username and password entered into the form
$username = $_POST['username'];
$password = $_POST['password'];
$stmt = $conn->query("SELECT LAST_INSERT_ID()");
$lastId = $stmt->fetchColumn();
$userID = $lastId;
//call the retrieve_salt() function
$result = retrieve_salt($username);
//retrieve the random salt from the database
$salt = $result['salt'];
//generate the hashed password with the salt value
$password = hash('sha256', $password.$salt);
//call the login() function
$count = login($username, $password);
//query the database
$sql = "SELECT userType FROM sport_cars.user WHERE userID = '.$userID.'";
//prepared statement
$statement = $conn->prepare($sql);
$statement->execute();
$result = $statement->fetchAll();
$statement->closeCursor();
foreach ($result as $row) :
$userType = $row['userType'];
endforeach;
//if there is one matching record
if($count == 1 && $userType = 'User')
{
//start the user session to allow authorised access to secured web pages
$_SESSION['user'] = $user;
//if login is successful, create a success message to display on the products page
$_SESSION['success'] = 'Hello ' . $username . '. Have a great day!';
//redirect to products.php
header('location:../index.php');
}
elseif($count == 1 && $userType = 'Admin')
{
//start the admin session to allow authorised access to secured web pages
$_SESSION['admin'] = $admin;
//if login is successful, create a success message to display on the products page
$_SESSION['success'] = 'Hello ' . $username . '. Have a good day!';
//redirect to products.php
header('location:../index.php');
}
elseif($count == 1 && $userType = 'Disabled')
{
//start the disabled session to allow authorised access to secured web pages
$_SESSION['disabled'] = $disabled;
//if login is successful, create a success message to display on the products page
$_SESSION['success'] = 'Hello ' . $username . '. Have a great day!';
//redirect to products.php
header('location:../index.php');
}
else
{
//if login not successful, create an error message to display on the login page
$_SESSION['error'] = 'Incorrect username or password. Please try again.';
//redirect to login.php
header('location:../members.php');
}
?>
在将第二部分代码注释掉以进行调试后,我注意到以下错误:Error within authentication.php
这部分代码是我用来确保管理员是唯一能够访问管理员页面的用户:
<?php
require_once("controller/connection.php");
if( isset($_SESSION['admin'])) {
// grant access
} else {
//redirect
header('location:members.php');
}
?>
如果有帮助,这是 function_members.php 的代码:
<?php
//create a function to retrieve salt
function retrieve_salt($username)
{
global $conn;
$sql = "SELECT * FROM games_hub.user WHERE username = :username";
$statement = $conn->prepare($sql);
$statement->bindValue(':username', $username);
$statement->execute();
$result = $statement->fetch();
$statement->closeCursor();
return $result;
}
//create a function to login
function login($username, $password)
{
global $conn;
$sql = "SELECT * FROM games_hub.user WHERE username = :username AND password = :password ";
$statement = $conn->prepare($sql);
$statement->bindValue(':username', $username);
$statement->bindValue(':password', $password);
$statement->execute();
$result = $statement->fetchAll();
$statement->closeCursor();
$count = $statement->rowCount();
return $count;
}
?>
<!-- create a function to add a new user -->
<?php
function add_user($username, $password, $salt, $first_name, $last_name, $email)
{
global $conn;
$sql = "INSERT INTO games_hub.user (username, password, salt, first_name, last_name, email) VALUES (:username, :password, :salt, :first_name, :last_name, :email)";
$statement = $conn->prepare($sql);
$statement->bindValue(':username', $username);
$statement->bindValue(':password', $password);
$statement->bindValue(':salt', $salt);
$statement->bindValue(':first_name', $first_name);
$statement->bindValue(':last_name', $last_name);
$statement->bindValue(':email', $email);
$result = $statement->execute();
$statement->closeCursor();
return $result;
}
?>
提前感谢您的帮助,这几天我一直在努力实现这一目标。