Php 重定向到依赖于角色的页面_Php_Mysql

Php 重定向到依赖于角色的页面

php mysql

Php 重定向到依赖于角色的页面,php,mysql,Php,Mysql,我根据角色重定向用户 username | password | accessLevel xxxxxx xxxxxx admin xxxxxx xxxxxx member xxxxxx xxxxxx none 我有下面的check.php页面 // Connect to server and select databse. mysql_connect("$host", "$username", "$password

我根据角色重定向用户

username  |  password  |  accessLevel
xxxxxx       xxxxxx       admin
xxxxxx       xxxxxx       member
xxxxxx       xxxxxx       none

我有下面的check.php页面

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword 
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword']; 

// To protect MySQL injection
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){

// Register $myusername, $mypassword and redirect to file "index.php"
$_SESSION['myusername']= $myusername; 
$_SESSION['mypassword']= $mypassword;
$role = mysql_fetch_array($result);

 if($role['accessLevel'] == "admin"){
        header("location:index.php");
            exit();
      }
      elseif($role['accessLevel'] == "member"){
  header("location:tasks.php");
        exit();
     }

else {
echo "Error: Username, Password or Access Level incorrect! Go Home, you're Drunk!!!";
}

    }
ob_end_flush();
?>

这会将正确的角色重定向到正确的页面，但如果他们在同一目录中键入页面，他们也可以访问我不希望他们访问的其他页面，我想将成员限制为某些页面，管理员限制为所有页面，我需要在页面顶部添加什么来区分这两个用户角色

我在所有页面的顶部都有以下内容：

    <?php
session_start();
////if(!session_is_registered(myusername)){
if (!isset($_SESSION['myusername'])) {
header("location:main_login.php");
}

我可以更改此设置以限制依赖于accessLevel的页面吗？

我通过在check_login.php页面上分配会话名称来修复它，并在我只想限制为admin的页面上选中了isset

我以前尝试过这个，但有语法错误，我现在在喝了咖啡和新鲜空气后修复了这些错误。

非常简单，我在几乎所有的项目中都这么做了，你要做的是，替代1。在成功登录后，将角色作为用户名传递到会话中，然后在每个页面的顶部启动会话并检查权限。例如：admin的index.php

<?php
 session_start();
 if($_SESSION['accessLevel'] !== "admin"){ header("location:Adminlogin.php"); }
?>
 <!-- go whith your page -->

或

<?php  session_start();

<?php 
  //fetch its role in DB then assign, like
  if($role['accessLevel'] == "admin"){

   $_SESSION['admin']=$role['username'];

    header("location:index.php");

  }
  elseif($role['accessLevel'] == "member"){
  $_SESSION['member']=$role['username'];
  header("location:tasks.php");

 }

$_SESSION['admin']

$_SESSION['member'].

Your page ha s the following mistake, you have to fix them. 1. you pass password as clear text (md() is needed for encryption) 2.you store password into sessionvariable, what for? ( if user log in sucessfull we take his/her id into session for other use not checking login always. 3.stripslashes,mysql_real_escape_string are not ecure enough for you to pass the password direct, Query by username then compar Also there is NOTICE on your code. 1. try to avoid the use of * in sqlSting(query statments), tey hinder perfomance. select only field tha you have to use. 2. there is no need of using exit() where you place them, if...else enough 3.Instead of $myusername = stripslashes($myusername); $myusername= mysql_real_escape_string($myusername); you can have $myusername = stripslashes(mysql_real_escape_string($myusername));