im 为学校做一个系统,由用户担任管理员、教师和家长。我现在在区分两个用户(即管理员和父母)时遇到问题。我无法确保管理员将直接转到管理员.php并且父类型将在父级上.php任何帮助都会很棒!提前谢谢。
现在的问题是,如果用户输入错误的用户名/密码,用户的身份验证出错,他们仍然可以进入系统。
<?php
session_start();
require("conection/connect.php");
$msg="";
if(isset($_POST['btn_log'])){
$uname=$_POST['unametxt'];
$pwd=$_POST['pwdtxt'];
$type=$_POST ['type'];
$sql=mysql_query("SELECT * FROM users_tbl
WHERE username='$uname' AND password='$pwd' AND type='$type'
");
$cout=mysql_num_rows($sql);
if (isset($type))
{
$_SESSION['Parent'] = $type;
header("location: parent.php");
}
else {
$_SESSION['Admin'] = $type;
header("location: admin.php");
exit;
}
}
?>
首先不要使用mysql_
它已被弃用。
我假设... $type = a
表示管理员,p
表示 oarent。
$sql=mysql_query("SELECT * FROM users_tbl WHERE username='$uname' AND password='$pwd'");
$count=mysql_num_rows($sql);
if($count>0)
{
if ($type=='p')
{
$_SESSION['Parent'] = $type;
header("location: parent.php");
}
elseif($type=='a') {
$_SESSION['Admin'] = $type;
header("location: admin.php");
exit;
}
}
else
{
echo "Wrong username or password";
}
这里有一些解决方案。您没有检查"cout"是否> 0(平均值找到)!
mysql_驱动程序
这是您的驱动程序(mysql_)的解决方案:
<?php
session_start();
require("conection/connect.php");
$msg = "";
if(isset($_POST['btn_log'])){
if(isset($_POST['unametxt'], $_POST['pwdtxt'], $_POST['type'])) {
$uname = mysql_real_escape_string($_POST['unametxt']);
$pwd = mysql_real_escape_string($_POST['pwdtxt']);
$type = mysql_real_escape_string($_POST['type']);
$sql = mysql_query("SELECT * FROM users_tbl WHERE username = '$uname' AND password = '$pwd' AND type = '$type'");
$cout = mysql_num_rows($sql);
if($cout > 0){
$_SESSION['type'] = $type;
if($type == "parent")
header("location: parent.php");
else if($type == "admin")
header("location: admin.php");
exit();
}
}
}
PDO版本
mysql_驱动程序已弃用,应改用 PDO。所以我也为PDO驱动程序编写了脚本:
<?php
session_start();
require("connection/connect.php"); // PDO connection on $db variable
$db = connect();
// Function to connect an user
function login($db, $uname, $password){
$req = $db->prepare("SELECT * FROM users_tbl WHERE username = :username AND password = :password");
$req->bindParam("username", $uname, PDO::PARAM_STR);
$req->bindParam("password", $password, PDO::PARAM_STR);
$req->execute();
$user = $req->fetch();
if(isset($user['username'])){
$_SESSION['user'] = $user; //store all user datas (including type !)
return true;
}
return false; // fail connection
}
// logic to handle connection form
if(isset($_POST['btn_log'], $_POST['unametxt'], $_POST['pwdtxt'], $_POST['type'])){
if(login($db, $_POST['unametxt'], $_POST['pwdtxt'])){
if(isset($_SESSION['user']['type']) AND $_SESSION['user']['type'] == "admin")
header("location: admin.php");
else
header("location: parent.php");
exit();
}
else
echo "A problem occured !";
}
连接.php (PDO)
define("SQL_USER", "root"); // user
define("SQL_HOST", "localhost"); // host
define("SQL_PASS", ""); // password
define("SQL_DBNAME", ""); //db name
function connect(){
try {
$pdo_options[PDO::ATTR_ERRMODE] = PDO::ERRMODE_EXCEPTION;
$pdo_options[PDO::ATTR_DEFAULT_FETCH_MODE] = PDO::FETCH_ASSOC;
return new PDO('mysql:host='.SQL_HOST.'; dbname='.SQL_DBNAME, SQL_USER, SQL_PASS, $pdo_options);
}
catch (Exception $e){
die("Error connecting to database");
}
}