基于用户角色使用PHP和MYSQL登录页面
我创建了一个登录页面基于用户角色使用PHP和MYSQL登录页面,php,Php,我创建了一个登录页面 <?php session_start(); $db=mysqli_connect("localhost","root","","authentication"); if (isset($_POST['login_btn'])) { $customer_name = mysql_real_escape_string($_POST['customer_name']); $password = mysql_real_escape_string($_P
<?php
session_start();
$db=mysqli_connect("localhost","root","","authentication");
if (isset($_POST['login_btn'])) {
$customer_name = mysql_real_escape_string($_POST['customer_name']);
$password = mysql_real_escape_string($_POST['password']);
$password=md5($password);
if(empty($customer_name)&&empty($password)) {
$error="Fields are Mandatory";
} else {
$sql="SELECT *
FROM customers
WHERE customer_name='$customer_name' AND password='$password'";
$result=mysqli_query($db,$sql);
$row=mysqli_fetch_array($result);
$_SESSION['id']=$row['id'];
$_SESSION['role']=$row['role'];
$count=mysqli_num_rows($result);
if($count==1){
if ($row['role']=="manager"){
header("location:manager.php");
}
else if($row['role']==""){
header("location:ueser.php");
}
}else{
$error='Customer_name/password combination incorrect';
}
}
}
?>
我希望客户和经理从同一页面登录。
在db中,我将客户和经理分别按其角色“”和“经理”进行分隔(客户表示为空值)
我写了这段代码,但它没有像我预期的那样工作。
当我输入姓名和密码并按下登录按钮时,它不会进入所需页面,而是留在登录页面上
<?php
session_start();
$db=mysqli_connect("localhost","root","","authentication");
if (isset($_POST['login_btn'])) {
$customer_name = mysql_real_escape_string($_POST['customer_name']);
$password = mysql_real_escape_string($_POST['password']);
$password=md5($password);
if(empty($customer_name)&&empty($password)) {
$error="Fields are Mandatory";
} else {
$sql="SELECT *
FROM customers
WHERE customer_name='$customer_name' AND password='$password'";
$result=mysqli_query($db,$sql);
$row=mysqli_fetch_array($result);
$_SESSION['id']=$row['id'];
$_SESSION['role']=$row['role'];
$count=mysqli_num_rows($result);
if($count==1){
if ($row['role']=="manager"){
header("location:manager.php");
}
else if($row['role']==""){
header("location:ueser.php");
}
}else{
$error='Customer_name/password combination incorrect';
}
}
}
?>
如果
/* Incorrect Method: */
if ($a > $b):
echo $a." is greater than ".$b;
else if ($a == $b): // Will not compile.
echo "The above line causes a parse error.";
endif;
/* Correct Method: */
if ($a > $b):
echo $a." is greater than ".$b;
elseif ($a == $b): // Note the combination of the words.
echo $a." equals ".$b;
else:
echo $a." is neither greater than or equal to ".$b;
endif;
要了解更多信息,代码方面还有很多需要改进的地方。我留下了一些附加注释,您可以在这些注释中改进此代码。我认为你的主要问题是你需要使用不同的头重定向。
Location
中的L
我认为需要大写,并且应该是Location:url
需要空白,页面需要是url
另外,当可能添加更多角色时,我会使用切换if-else
但是如果您不检查访问该页面的用户是否有权访问该页面,则执行此重定向是无用的。身份验证与授权
<?php
session_start();
$db=mysqli_connect("localhost","root","","authentication");
if (isset($_POST['login_btn'])) {
if(empty($_POST['customer_name'])&&empty($_POST['password'])) {
$error="Fields are Mandatory";
} else {
//You cannot mess with them before check if empty md5 will hash a space and null
//Use prepared statements and the mysql_real_escape_string is not needed
$customer_name = mysql_real_escape_string();
//I really am not sure that mysql_real_escape_string before your hash is a good idea...
//You will be hashing the escaped version of it.
$password = mysql_real_escape_string($_POST['password']);
//This is not secure either check out.
//http://php.net/manual/en/function.password-hash.php
//http://php.net/manual/en/function.password-verify.php
$password=md5($password);
//http://php.net/manual/en/mysqli.quickstart.prepared-statements.php
$sql="SELECT *
FROM customers
WHERE customer_name='$customer_name' AND password='$password'";
//You can drop the password from the query and check what is returned
//In the results with using password_verify)
$result=mysqli_query($db,$sql);
//Check this upfront and do work if you meet it.
//I assume that username is unique so you should
//Want to do something if one is returned
if(mysqli_num_rows($result) == 1){;
$row=mysqli_fetch_array($result);
$_SESSION['id']=$row['id'];
$_SESSION['role']=$row['role'];
//For the page I would use a switch
switch ($_SESSION['role']) {
case "manager":
//Capital L and a space
//Also it should be a url so example
header("Location: http://localhost/manager.php");
break;
default:
//Capital L and a space
//Also it should be a url so example
header("Location: http://localhost/user.php");
break;
}
}else{
$error='Customer_name/password combination incorrect';
}
}
}
这似乎并不明智。你永远不希望客户能够以经理的身份登录,即使有人犯了愚蠢的错误。为客户和经理分离登录页面、例程和数据表似乎是明智的。它还允许您使用两种不同的登录方法,例如,您可以对管理员使用双因素身份验证。(我喃喃地说:“SQL注入”)您的脚本非常开放,甚至可以在MYSQLI\ucode>或PDO
API中使用。请不要特别使用MD5()来滚动您自己的密码哈希。PHP提供并请使用它们。如果您使用的是5.5之前的PHP版本,那么在检查查询是否确实返回了任何内容之前,您还需要设置会话。如果您使用OP的信息回答问题,而不是仅仅复制PHP手册的片段,那么会更有帮助。同样,您也可以使用它们使用的相同格式,而不是:
和endif
如果