Fatal编程技术网
  • php/
  • 基于用户角色使用PHP和MYSQL登录页面

基于用户角色使用PHP和MYSQL登录页面

php

基于用户角色使用PHP和MYSQL登录页面,php,Php,我创建了一个登录页面 <?php session_start(); $db=mysqli_connect("localhost","root","","authentication"); if (isset($_POST['login_btn'])) { $customer_name = mysql_real_escape_string($_POST['customer_name']); $password = mysql_real_escape_string($_P

我创建了一个登录页面

<?php
session_start();

$db=mysqli_connect("localhost","root","","authentication");

if (isset($_POST['login_btn'])) {

    $customer_name = mysql_real_escape_string($_POST['customer_name']);
    $password = mysql_real_escape_string($_POST['password']);
    $password=md5($password);
    if(empty($customer_name)&&empty($password)) {
        $error="Fields are Mandatory";
    } else {
        $sql="SELECT * 
              FROM customers 
              WHERE customer_name='$customer_name' AND password='$password'";
        $result=mysqli_query($db,$sql);
        $row=mysqli_fetch_array($result);
        $_SESSION['id']=$row['id'];
        $_SESSION['role']=$row['role'];
        $count=mysqli_num_rows($result);

        if($count==1){
            if ($row['role']=="manager"){
                header("location:manager.php");      
            }
            else if($row['role']==""){
                header("location:ueser.php");      
            }
        }else{
            $error='Customer_name/password combination incorrect';
        }
    }
}
?>
我希望客户和经理从同一页面登录。 在db中,我将客户和经理分别按其角色“”和“经理”进行分隔(客户表示为空值)

我写了这段代码,但它没有像我预期的那样工作。 当我输入姓名和密码并按下登录按钮时,它不会进入所需页面,而是留在登录页面上

<?php
session_start();

$db=mysqli_connect("localhost","root","","authentication");

if (isset($_POST['login_btn'])) {

    $customer_name = mysql_real_escape_string($_POST['customer_name']);
    $password = mysql_real_escape_string($_POST['password']);
    $password=md5($password);
    if(empty($customer_name)&&empty($password)) {
        $error="Fields are Mandatory";
    } else {
        $sql="SELECT * 
              FROM customers 
              WHERE customer_name='$customer_name' AND password='$password'";
        $result=mysqli_query($db,$sql);
        $row=mysqli_fetch_array($result);
        $_SESSION['id']=$row['id'];
        $_SESSION['role']=$row['role'];
        $count=mysqli_num_rows($result);

        if($count==1){
            if ($row['role']=="manager"){
                header("location:manager.php");      
            }
            else if($row['role']==""){
                header("location:ueser.php");      
            }
        }else{
            $error='Customer_name/password combination incorrect';
        }
    }
}
?>
如果

/* Incorrect Method: */
if ($a > $b):
    echo $a." is greater than ".$b;
else if ($a == $b): // Will not compile.
    echo "The above line causes a parse error.";
endif;


/* Correct Method: */
if ($a > $b):
    echo $a." is greater than ".$b;
elseif ($a == $b): // Note the combination of the words.
    echo $a." equals ".$b;
else:
    echo $a." is neither greater than or equal to ".$b;
endif;
要了解更多信息,代码方面还有很多需要改进的地方。我留下了一些附加注释,您可以在这些注释中改进此代码。我认为你的主要问题是你需要使用不同的头重定向。
Location
中的
L
我认为需要大写,并且应该是
Location:url
需要空白,页面需要是url

另外,当可能添加更多角色时,我会使用切换
if-else
但是如果您不检查访问该页面的用户是否有权访问该页面,则执行此重定向是无用的。身份验证与授权

<?php

session_start();

$db=mysqli_connect("localhost","root","","authentication");

if (isset($_POST['login_btn'])) {

    if(empty($_POST['customer_name'])&&empty($_POST['password'])) {
        $error="Fields are Mandatory";
    } else {

        //You cannot mess with them before check if empty md5 will hash a space and null

        //Use prepared statements and the mysql_real_escape_string is not needed
        $customer_name = mysql_real_escape_string();

        //I really am not sure that mysql_real_escape_string before your hash is a good idea...
        //You will be hashing the escaped version of it.
        $password = mysql_real_escape_string($_POST['password']);

        //This is not secure either check out.
        //http://php.net/manual/en/function.password-hash.php
        //http://php.net/manual/en/function.password-verify.php
        $password=md5($password);

        //http://php.net/manual/en/mysqli.quickstart.prepared-statements.php
        $sql="SELECT * 
              FROM customers 
              WHERE customer_name='$customer_name' AND password='$password'";

        //You can drop the password from the query and check what is returned
        //In the results with using password_verify)
        $result=mysqli_query($db,$sql);

        //Check this upfront and do work if you meet it.
        //I assume that username is unique so you should
        //Want to do something if one is returned
        if(mysqli_num_rows($result) == 1){;
            $row=mysqli_fetch_array($result);
            $_SESSION['id']=$row['id'];
            $_SESSION['role']=$row['role'];

            //For the page I would use a switch
            switch ($_SESSION['role']) {
                case "manager":
                    //Capital L and a space
                    //Also it should be a url so example
                    header("Location: http://localhost/manager.php"); 
                    break;
                default:
                    //Capital L and a space
                    //Also it should be a url so example
                    header("Location: http://localhost/user.php"); 
                    break;
            }
        }else{
            $error='Customer_name/password combination incorrect';
        }
    }
}

这似乎并不明智。你永远不希望客户能够以经理的身份登录,即使有人犯了愚蠢的错误。为客户和经理分离登录页面、例程和数据表似乎是明智的。它还允许您使用两种不同的登录方法,例如,您可以对管理员使用双因素身份验证。(我喃喃地说:“SQL注入”)您的脚本非常开放,甚至可以在
MYSQLI\ucode>或
PDO
API中使用。请不要特别使用MD5()来滚动您自己的密码哈希。PHP提供并请使用它们。如果您使用的是5.5之前的PHP版本,那么在检查查询是否确实返回了任何内容之前,您还需要设置会话。如果您使用OP的信息回答问题,而不是仅仅复制PHP手册的片段,那么会更有帮助。同样,您也可以使用它们使用的相同格式,而不是
endif
如果