无论如何,我将能够通过这个过程代码添加用户访问级别?我有我的注册码,这将允许普通用户注册。我将通过PHPMyAdmin设置管理员。如何使用此进程页面定义管理员用户访问级别?
代码:login_process.php
<?php
error_reporting(E_ALL);
ini_set("display_errors", 1);
include_once 'includes/db_connect.php';
include_once 'includes/functions.php';
sec_session_start(); // Our custom secure way of starting a PHP session.
if (isset($_POST['email'], $_POST['p'])) {
$email = $_POST['email'];
$password = $_POST['p']; // The hashed password.
if (login($email, $password, $mysqli) == true) {
// Login success
header('Location: ./protected_page.php');
} else {
// Login failed
header('Location: ./index.php?error=1');
}
}
else {
// The correct POST variables were not sent to this page.
echo 'Invalid Request';
}
?>
代码:登录函数
function login($email, $password, $mysqli) {
// Using prepared statements means that SQL injection is not possible.
if ($stmt = $mysqli->prepare("SELECT id, username, password, salt
FROM members
WHERE email = ?
LIMIT 1")) {
$stmt->bind_param('s', $email); // Bind "$email" to parameter.
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
// get variables from result.
$stmt->bind_result($user_id, $username, $db_password, $salt);
$stmt->fetch();
// hash the password with the unique salt.
$password = hash('sha512', $password . $salt);
if ($stmt->num_rows == 1) {
// If the user exists we check if the account is locked
// from too many login attempts
if (checkbrute($user_id, $mysqli) == true) {
// Account is locked
// Send an email to user saying their account is locked
return false;
} else {
// Check if the password in the database matches
// the password the user submitted.
if ($db_password == $password) {
// Password is correct!
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
// XSS protection as we might print this value
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
$_SESSION['user_id'] = $user_id;
// XSS protection as we might print this value
$username = preg_replace("/[^a-zA-Z0-9_'-]+/",
"",
$username);
$_SESSION['username'] = $username;
$_SESSION['login_string'] = hash('sha512',
$password . $user_browser);
// Login successful.
return true;
} else {
// Password is not correct
// We record this attempt in the database
$now = time();
$mysqli->query("INSERT INTO login_attempts(user_id, time)
VALUES ('$user_id', '$now')");
return false;
}
}
} else {
// No user exists.
return false;
}
}
}
示例代码:
if (login($username="admin_username") {
// Login admin success
header('Location: ./protected_page.php');
} else (login($email, $password, $mysqli) == true){
// Login success
header('Location: ./user.php');
}
} else {
// Login failed
header('Location: ./index.php?error=1');
}
这取决于你如何在数据库中存储数据,但如果你的用户表有列:user_name, password, user_type.
当您检查user_name和password是否匹配您的登录函数时,您可以这样做:
SELECT user_name, password, user_type FROM users WHERE user_name = '".$email."' AND password = '".$password"'";
然后检查返回的行数,如果返回0则凭证不匹配,则不登录用户。如果它们匹配,那么您可以使用user_level重定向到您想要的位置。
如果你能发布你的登录函数,我可以解释你在代码中要做的改变。
编辑:在发布登录功能后添加固定功能
登录验证:
include_once 'includes/db_connect.php';
include_once 'includes/functions.php';
sec_session_start(); // Our custom secure way of starting a PHP session.
if (isset($_POST['email'], $_POST['p'])) {
$email = $_POST['email'];
$password = $_POST['p']; // The hashed password.
if (login($email, $password, $mysqli) == true) {
// Login success
//Redirecting to admin protected page for instance
if( isset($_session['user_type']) and $_session['user_type'] == 'admin' )
header('Location: ./protected_page.php');
else {
//redirect to normal logged user
header('Location: ./normal_user_logged.php');
}
} else {
// Login failed
header('Location: ./index.php?error=1');
}
}
else {
// The correct POST variables were not sent to this page.
echo 'Invalid Request';
}
?>
function login($email, $password, $mysqli) {
// Using prepared statements means that SQL injection is not possible.
if ($stmt = $mysqli->prepare("SELECT id, username, password, salt, user_type
FROM members
WHERE email = ?
LIMIT 1")) {
$stmt->bind_param('s', $email); // Bind "$email" to parameter.
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
// get variables from result.
$stmt->bind_result($user_id, $username, $db_password, $salt, $user_type);
$stmt->fetch();
// hash the password with the unique salt.
$password = hash('sha512', $password . $salt);
if ($stmt->num_rows == 1) {
// If the user exists we check if the account is locked
// from too many login attempts
if (checkbrute($user_id, $mysqli) == true) {
// Account is locked
// Send an email to user saying their account is locked
return false;
} else {
// Check if the password in the database matches
// the password the user submitted.
if ($db_password == $password) {
// Password is correct!
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
// XSS protection as we might print this value
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
$_SESSION['user_id'] = $user_id;
// XSS protection as we might print this value
$username = preg_replace("/[^a-zA-Z0-9_'-]+/",
"",
$username);
$_SESSION['username'] = $username;
$_SESSION['login_string'] = hash('sha512',
$password . $user_browser);
// Login successful.
$_SESSION['user_type'] = $user_type;
return true;
} else {
// Password is not correct
// We record this attempt in the database
$now = time();
$mysqli->query("INSERT INTO login_attempts(user_id, time)
VALUES ('$user_id', '$now')");
return false;
}
}
} else {
// No user exists.
return false;
}
}
}