最受欢迎

在登录系统中实现用户帐户

Implementing User Accounts into Login System Php

本文关键字:用户 实现 登录 系统 | 更新日期: 2023-09-27

我想在我的网站上建立和执行用户权限。

我有两个用户组:买家和商家。

例如,对于买家,我有(在/login/dir下):

<form method="post" action="check_buyer.php" id="LoggingInBuyer">
    <div style="width:265px;margin:0; padding:0; float:left;">
        <label>Username:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
             <span><a href="#">Forgot Username?</span></a>
        </label>
        <br />
        <input id="UserReg" style="width:250px;" type="text" name="userName" tabindex="1" class="required" />
    </div>
    <div style="width:265px;margin:0; padding:0; float:right;">
        <label>Password:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
        <span><a href="#">Forgot Password?</span></a></label>
        <br />
        <input id="UserReg" style="width:250px;" type="password"  name="userPass" tabindex="2" class="required" />
    </div>
    <div class="clearB"> </div>
    <input type="submit" style="width:100px; margin:10px 200px;" id="UserRegSubmit" name="submit" value="Login" tabindex="3" />
</form>

php脚本check_buyer.php:

<?php
session_start(); #recall session from index.php where user logged include()
function isLoggedIn()
{
    if(isset($_SESSION['valid']) && $_SESSION['valid'])
        header( 'Location: buyer/' ); # return true if sessions are made and login creds are valid
    echo "Invalid Username and/or Password";  
    return false;
}
require_once('../inc/db/dbc.php');
$connect = mysql_connect($h, $u, $p) or die ("Can't Connect to Database.");
mysql_select_db($db);
$LoginUserName = $_POST['userName'];
$LoginPassword = mysql_real_escape_string($_POST['userPass']);
//connect to the database here
$LoginUserName = mysql_real_escape_string($LoginUserName);
$query = "SELECT uID, uUPass, dynamSalt, uUserType FROM User WHERE uUName = '$LoginUserName';";
$result = mysql_query($query);
if(mysql_num_rows($result) < 1) //no such USER exists
{
    echo "Invalid Username and/or Password";
}
$ifUserExists = mysql_fetch_array($result, MYSQL_ASSOC);
function validateUser() {
    $_SESSION['valid'] = 1;
    $_SESSION['uID'] = $uID;
    $_SESSION['uUserType'] = 1; // 1 for buyer - 2 for merchant
}
$dynamSalt = $ifUserExists['dynamSalt'];  #get value of dynamSalt in query above
$SaltyPass = hash('sha512',$dynamSalt.$LoginPassword); #recreate originally created dynamic, unique pass
if($SaltyPass != $ifUserExists['uUPass']) # incorrect PASS
{
    echo "Invalid Username and/or Password";
}
else {
validateUser();
}
// If User *has not* logged in yet, keep on /login
if(!isLoggedIn())
{
    header('Location: index.php');
    die();
}
?>

如果输入的是合法用户…进入/login/buyer目录

<?php
session_start();
if($_SESSION['uUserType']!=1)
{ 
    echo 'the userid: ' . $userid . '<br>' . 'the type is ' . $userType . '<br>';
    die("You may not view this page. Access denied.");
}
function isLoggedIn()
{
    return (isset($_SESSION['valid']) && $_SESSION['valid']);
}
//if the user has not logged in
if(!isLoggedIn())
{
    header('Location: index.php');
    die();
}
?>
<?php 
    if($_SESSION['valid'] == 1){
        #echo "<a href='../logout.php'>Logout</a>";
        require_once('buyer_profile.php');
    }
    else{
        echo "<a href='../index.php'>Login</a>";
    }
?>

问题一旦作为buyer登录,我可以输入:login/merchant,它将带我到那里,即使会话$_SESSION['uUserType']中的字段不断被重新验证为= 1

我如何阻止用户在url中输入login/merchant,他们可以访问它?

首先,您无法阻止用户输入某个url。限制特定脚本或代码段给特定用户的唯一方法是通过代码[或者,好吧,特定的Apache设置]。

这段代码是错误的,因为它(很可能)是用来检查会话是否存在的,但是它没有检查它是否是一个BUYER会话:

function isLoggedIn()
{
    if(isset($_SESSION['valid']) && $_SESSION['valid'])
        header( 'Location: buyer/' ); # return true if sessions are made and login creds are valid
    echo "Invalid Username and/or Password";  
    return false;
}

你也需要检查$_SESSION['uUserType']

我将把所有的东西封装在一个类中:

class CUserRole {
  const USER_NO_ROLE  = 'user.noRole';
  const USER_BUYER    = 'user.buyer';
  const USER_MERCHANT = 'user.merchant';
  const PAGE_LOGIN    = 'index.php';

  static 
  public function getCurrentUserRole() {
    if ( ! isset( $_SESSION )) {
       return self::USER_NO_ROLE;
    }
    switch( $_SESSION['uUserType'] ) {
      case 1:
       return self::USER_BUYER;
      case 2:
       return self::USER_MERCHANT;
      default:
        die( 'Inconsistent/Invalid uUserType' );
    }
  }
  static 
  public function forwardIfNotRole( $aRole, $forwardAddress = self::PAGE_LOGIN ) {
    if ( $aRole != self::getCurrentUserRole() ) {
      header( 'Location: ' . forwardAddress );
      exit;
    }
  }
  static 
  public function evaluateCredentials( ) {
    // checks passed login parameters against the DB
    // and sets up the session with appropriate values
  }
}

必要时,在脚本开头添加这一行:

CUserRole::forwardIfNotRole( CUserRole::USER_BUYER, 'some/where/address' );

或者直接转发到index.php:

CUserRole::forwardIfNotRole( CUserRole::USER_BUYER );

这个解决方案将角色管理的主要部分封装在一个单独的类中。

最后,我不明白为什么要设置这个:

$_SESSION['valid'] = 1;

使用静态方法是一个非常简单的解决方案,使用单例模式设计会更好。

有没有

session_start();
if( 2!== $_SESSION['uUserType'])
{ 
    ///login/merchant content goes here (login form, whole page, etc.)
} else {
   header("location: http://www.example.com/whatever/buyer_page.php"); 
    //redirect to whatever page you want
    //or instead of header you could do an 
    //echo "You're already logged in" or whatever message you want
}

在你的商业页面上?(你不想让买家访问的所有页面)

重要的是要注意,在使用header("location.... . net ")之前,不能输出任何html这包括标签外的空白。所以要确保在

开头没有空格
相关文章:
最新更新
www.56WenDa.com 2012-2023 | php问答网 | php学习