PHP/MYSQL:使用多种类型的用户登录
我想在一个PHP页面中为管理员和超级管理员创建一个登录页面。目前,我分别为admin和super admin创建登录页面,但使用相同的数据库表 下面是我当前的管理员和超级管理员登录代码 admin_login.phpPHP/MYSQL:使用多种类型的用户登录,php,mysql,Php,Mysql,我想在一个PHP页面中为管理员和超级管理员创建一个登录页面。目前,我分别为admin和super admin创建登录页面,但使用相同的数据库表 下面是我当前的管理员和超级管理员登录代码 admin_login.php <?php include("config/config.php"); session_start(); if($_SERVER["REQUEST_METHOD"] == "POST") { $Email = mysqli_real_escape_string($li
<?php
include("config/config.php");
session_start();
if($_SERVER["REQUEST_METHOD"] == "POST") {
$Email = mysqli_real_escape_string($link,$_POST['Email']);
$Pwd = mysqli_real_escape_string($link,$_POST['Pwd']);
$sql = "SELECT staff.Email FROM staff WHERE Email = '$Email' AND Pwd ='$Pwd' AND staff.Role = 'admin'";
$result = mysqli_query($link,$sql);
$row = mysqli_fetch_array($result,MYSQLI_ASSOC);
$count = mysqli_num_rows($result);
if($count == 1) {
$_SESSION['login_user'] = $Email;
header("location: pages/dashboard/dashboard_admin.php");
}else {
$error = "Your Login Name or Password is invalid";
}
}
?>
super_admin_login.php
<?php
include("config/config.php");
session_start();
if($_SERVER["REQUEST_METHOD"] == "POST") {
$Email = mysqli_real_escape_string($link,$_POST['Email']);
$Pwd = mysqli_real_escape_string($link,$_POST['Pwd']);
$sql = "SELECT staff.Email FROM staff WHERE Email = '$Email' AND Pwd ='$Pwd' AND staff.Role = 'super_admin'";
$result = mysqli_query($link,$sql);
$row = mysqli_fetch_array($result,MYSQLI_ASSOC);
$count = mysqli_num_rows($result);
if($count == 1) {
$_SESSION['login_user'] = $Email;
header("location: pages/dashboard/dashboard_super_admin.php");
}else {
$error = "Your Login Name or Password is invalid";
}
}
?>
有人能帮我吗?非常感谢您现在要做的是检查特定角色是否有用户名和密码,为什么不检查用户名和密码,然后检查其角色以重定向到正确的位置 您可以合并它们,您应该首先检查用户名和密码,然后检查角色,查看重定向到正确仪表板的是管理员还是超级管理员。
<?php
include("config/config.php");
session_start();
if($_SERVER["REQUEST_METHOD"] == "POST") {
$Email = mysqli_real_escape_string($link,$_POST['Email']);
$Pwd = mysqli_real_escape_string($link,$_POST['Pwd']);
$sql = "SELECT staff.Email,staff.Role FROM staff WHERE Email = '$Email' AND Pwd ='$Pwd'"; // Remember You do not need to check role here so you can accept both
$result = mysqli_query($link,$sql);
$row = mysqli_fetch_array($result,MYSQLI_ASSOC);
$count = mysqli_num_rows($result);
if($count == 1) {
$_SESSION['login_user'] = $Email;
if($row["Role"] == "admin"){ //Check the role here
header("location: pages/dashboard/dashboard_admin.php");
}else{ // If you want to be more specific you can write a else-if here too.
header("location: pages/dashboard/dashboard_super_admin.php");
}
}else {
$error = "Your Login Name or Password is invalid";
}
}
?>
PS:永远不要存储普通密码并使用预先准备好的语句来防止SQL注入您从一个稍微错误的角度来处理这个问题。每个用户都应该通过相同的脚本登录。用户提供一个用户ID(您的情况下是电子邮件)和密码,您检查它们是否正确,然后您拿起
员工。角色
,了解他们是什么类型的用户,并相应地对待他们
我还将您的代码更改为使用准备好的、参数化的和绑定的查询
额外阅读以更改代码以使用更安全的
您正在存储纯文本密码,这非常糟糕。PHP提供并请使用它们。下面是一些你从稍微错误的角度来看待这个问题的例子。每个用户都应该通过相同的脚本登录。用户提供用户和密码,您检查它们是否正确,然后您拿起
员工。角色了解他们是什么类型的用户,并对他们进行相应的处理谢谢,伙计们。我以后再换。但是有人能帮我解决我的问题吗?为什么不删除这个和staff.Role=
SQL条件,然后检查admin或user\u admin,然后根据当前问题的良好解释重新定向,因为密码问题:简单的密码散列可能还不够(不过还是比纯文本好),某些哈希函数最终会产生冲突。请尝试阅读有关向密码中添加salt的内容:关于加密的一点改进。无论如何,这取决于您提供的代码段的用途。如果要发布和使用该代码段,请寻求专业帮助,甚至尝试将身份验证事宜委托给social connect(OAuth)。
<?php
include("config/config.php");
session_start();
if($_SERVER["REQUEST_METHOD"] == "POST") {
//$Email = mysqli_real_escape_string($link,$_POST['Email']);
//$Pwd = mysqli_real_escape_string($link,$_POST['Pwd']);
$sql = "SELECT Pwd, Role
FROM staff
WHERE Email = ?";
$stmt = $link->prepare($sql);
$stmt->bind_param('s',$_POST['Email']);
$stmt->execute();
$result = $stmt->get_result();
$row = $result->fetch_assoc();
if ($result->num_rows == 1 )
// this should really be using `password_verify()`
// but as that requiesa change to the way you save the password
// I cannot just add it here
if ( $_POST['Pwd'] == $row['Pwd'] ){
$_SESSION['login_user'] = $Email;
// might be useful to put the role in the session for later use as well
$_SESSION['Role'] = $row['Role'];
if ($row['Role'] == 'admin')
header("location: pages/dashboard/dashboard_admin.php");
exit;
}
if ($row['Role'] == 'super_admin')
header("location: pages/dashboard/dashboard_super_admin.php");
exit;
}
} else {
$error = "Your Login Name or Password is invalid";
}
}
}
?>