以下代码用于我的管理员登录页面,成功登录后会重定向到仅限管理员的页面。通过数据库值,我只需要管理员值为1的用户就可以获得访问权限,而管理员值为0的用户会收到类似于"无效用户名或密码"的错误消息。请注明附加代码的位置。
此外,请记住,我会尽我所能将代码和补丁组合在一起为我工作,所以我对php不是很流利。任何帮助都将不胜感激。
DATABASE
ID Username Password Admin
1 John •••••• 0
2 Aaron •••••• 1
<?php
require("connect.php");
// Re-display the username if they fail to enter correct password.
$submitted_username = '';
// Determine whether the login form has been submitted
// If it has, run the login code, otherwise display form
if(!empty($_POST))
{
// Retrieve the users info from the database using username
$query = "
SELECT
id,
username,
password,
salt,
email,
admin
FROM users
WHERE
username = :username
";
// The parameter values
$query_params = array(
':username' => $_POST['username']
);
try
{
// Execute query against database
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
die("Failed to run query: " . $ex->getMessage());
}
$login_ok = false;
// Retrieve user data from database. If $row is false, username in not registered
$row = $stmt->fetch();
if($row)
{
// Using the password submitted by the user and the salt stored in the database,
// we now check to see whether the passwords match by hashing the submitted password
// and comparing it to the hashed version already stored in the database.
$check_password = hash('sha256', $_POST['password'] . $row['salt']);
for($round = 0; $round < 65536; $round++)
{
$check_password = hash('sha256', $check_password . $row['salt']);
}
if($check_password === $row['password'])
{
// If they do, then we flip this to true
$login_ok = true;
}
}
// If the user logged in successfully, then we send them to the private members-only page
// Otherwise, we display a login failed message and show the login form again
if($login_ok)
{
// Here I am preparing to store the $row array into the $_SESSION by
// removing the salt and password values from it. Although $_SESSION is
// stored on the server-side, there is no reason to store sensitive values
// in it unless you have to. Thus, it is best practice to remove these
// sensitive values first.
unset($row['salt']);
unset($row['password']);
// This stores the user's data into the session at the index 'user'.
// We will check this index on the private members-only page to determine whether
// or not the user is logged in. We can also use it to retrieve
// the user's details.
$_SESSION['user'] = $row;
// Redirect the user to the private members-only page.
header("Location: index.php");
die("Redirecting to: index.php");
}
else {
// Tell the user they failed
$error = "Invalid Username or Password";
// Show them their username again so all they have to do is enter a new
// password. The use of htmlentities prevents XSS attacks. You should
// always use htmlentities on user submitted values before displaying them
// to any users (including the user that submitted them). For more information:
// http://en.wikipedia.org/wiki/XSS_attack
$submitted_username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8');
}
}
?>
也许这会起作用:-
if($check_password === $row['password'] && $row['admin'] == 1)
{
$login_ok = 1;
}else
{
$login_ok = 0;
}
或
您可以更改查询
$query = "
SELECT
id,
username,
password,
salt,
email,
admin
FROM users
WHERE
username = :username
admin = 1
";