从查询结果设置会话变量

时间:2011-12-31 22:31:40

标签: php mysql

我一直在修改用户身份验证系统,但我无法为管理员设置会话。 reguser会话设置得很好,但我无法弄清楚为什么admin不会设置。

userlevel为9的用户是管理员。是的,我知道如何防止SQL注入。我只是想让它现在变得简单易读。这可能不会用于任何事情,我只是获得了一些PHP经验。

大家好,谢谢你的帮助!我得到了它的工作。我一直盯着它看,我的思绪不明确。昨天休息了一下,今天又回来了,能在不到5分钟的时间内搞清楚!你们真棒,我喜欢stackoverflow!

function checklogin($email, $pass) {
        $server = 'localhost';
        $user = 'root';
        $password = '';
        $connection = mysql_connect($server, $user, $password) or die(mysql_error());
        mysql_select_db(udogoo, $connection) or die(mysql_error());
        $pass = md5($pass);
        $result = mysql_query("SELECT userid from users WHERE email = '$email' AND password = '$pass'");
        $user_data = mysql_fetch_array($result);
        $no_rows = mysql_num_rows($result);
        if ($no_rows == 1) 
    {
        $_SESSION['reguser'] = true;
        $_SESSION['userid'] = $user_data['userid'];
        $userid = $user_data['userid'];
        $isadmin = mysql_query("SELECT userlevel FROM users WHERE userid = '$userid'");
        $isadmin2 =  mysql_fetch_array($isadmin);
        $isadmin3 = $isadmin2['userlevel'];
        if ($isadmin3 == "9"){
        $_SESSION['admin'] = true;
        return true;
    }
    }
        else
    {
        return FALSE;
    }
}

3 个答案:

答案 0 :(得分:3)

如果用户数据存在,则您有return true;。事实上,如果用户不存在,您只需检查或管理。

删除return true;,因为那里不需要它。如果需要,请在检查用户是否存在后添加else return false;,并在结尾处添加return true;

答案 1 :(得分:3)

你的逻辑也有缺陷,在这里:

function checklogin($email, $pass) 
{
    $server = 'localhost';
    $user = 'root';
    $password = '';
    $connection = mysql_connect($server, $user, $password) or die(mysql_error());
    mysql_select_db(test, $connection) or die(mysql_error());

    $email = mysql_real_escape_string($email);
    $pass = md5($pass);

    $sql = "SELECT `userid`,`userlevel` 
            FROM `users` 
            WHERE `email` = '$email' 
            AND `password` = '$pass' 
            LIMIT 1";  //I certainly hope you check email for injection before passing it here.  Also want the LIMIT 1 on there because you are only expecting a single return, and you should only get one since `email` should be unique since you're using it as a credential, and this will stop it from looking through all the rows for another match once it finds the one that matches.

    $result = mysql_query($sql);

    $user_data = mysql_fetch_array($result);
    $numrows = mysql_num_rows($result);

    if ($numrows == 1) 
    {
        $_SESSION['reguser'] = true;
        $_SESSION['userid'] = $user_data['userid'];

        if($user_data['userlevel'] == 9)
        {
            $_SESSION['admin'] = true;
        }
        else
        {
            $_SESSION['admin'] = false;
        }
        return true;
    }
    return false;
}

这应该有效。当一个人做得很好时,没有充分的理由做两个查询。如果用户已登录,则返回true;如果用户不存在或凭据不匹配,则返回false。

糟糕,SQL语句中的小语法错误已更正。更大的语法错误也得到纠正。

以下是你在PDO中做的最重要的部分:

function checklogin($email, $pass) 
{
    $server = 'localhost';
    $user = 'root';
    $password = '';
    $dbname = 'test';
    $dsn = 'mysql:dbname=' . $dbname . ';host=' . $server;

    $conn = new PDO($dsn,$user,$password);  //Establish connection   

    $pass = md5($pass);

    $sql = "SELECT `userid`,`userlevel` 
            FROM `users` 
            WHERE `email` = :email 
            AND `password` = :pass 
            LIMIT 1";

    $stmt = $conn->prepare($sql);
    $stmt->bindParam(':email',$email,PDO::PARAM_STR,128)  //First param gives the placeholder from the query, second is the variable to bind into that place holder, third gives data type, fourth is max length
    $stmt->bindParam(':pass',$pass,PDO::PARAM_STR,32)  //MD5s should always have a length of 32

    $stmt->setFetchMode(PDO::FETCH_ASSOC);
    $stmt->execute();  //almost equivalent to mysql_query
    $user_data = $stmt->fetch();  //Grab the data

    if(is_array($user_data) && count($user_data) == 2)  //Check that returned info is an array and that we have both `userid` and `userlevel`
    {
        //Continue onwards

答案 2 :(得分:1)

$userid = $user_data['user_id'];
$isadmin = mysql_query("SELECT userlevel FROM users WHERE userid = $userid");

$user_data = mysql_fetch_array($result);
$userlevel = $user_data['userlevel'];

if($userlevel == '9')
{
  $_SESSION['admin'] = true;
}

所以,你的完整代码看起来像这样:: 

<?php
function checklogin($email, $pass) 
{
        $server = 'localhost';
        $user = 'root';
        $password = '';
        $connection = mysql_connect($server, $user, $password) or     die(mysql_error());
        mysql_select_db(test, $connection) or die(mysql_error());
        $pass = md5($pass);
        $result = mysql_query("SELECT userid from users WHERE email = '$email'  AND password = '$pass'");
        $user_data = mysql_fetch_array($result);
        $numrows = mysql_num_rows($result);
        if ($numrows == 1) 
        {
            $_SESSION['reguser'] = true;
            $_SESSION['userid'] = $user_data['userid'];

            //MY ANSWER START HERE
            $userid = $_SESSION['userid']; 
            $isadmin = mysql_query("SELECT userlevel FROM users WHERE userid = $userid");

            $user_data = mysql_fetch_array($result);
            $userlevel = $user_data['userlevel'];

            if($userlevel == '9')
            {
              $_SESSION['admin'] = true;
            }
            //END HERE 

        }
        else
        {
            return false;
        }
}

?>
相关问题
最新问题