我正在尝试开发一个客户和管理员都可以登录的登录系统。客户将被发送回索引,管理员将被发送到控制面板。我的数据库中有一个用户表。这里有一个定义用户的级别;客户级别 = 1,管理员级别 = 0。
我是PHP的新手,一直在互联网上寻找答案。我找到了我需要的两个版本。我不是 100% 确定它们是正确的,哪个是最好的。
示例 1:
//indicate that sessions are to be used or started
session_start();
// Define $myusername and $mypassword from the form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
// Query
$result= $dbh->query("SELECT * FROM users WHERE username='$myusername' AND password='$mypassword';");
// Mysql_num_row is counting table row
$count = $result->rowCount();
// Determine if user is "user" or "admin"
$userlevel = mysqli_query($con,"SELECT level FROM users WHERE username='$myusername';");
$level = mysql_fetch_row($userlevel);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1) {
// Start session, register $myusername, $mypassword and redirect to login_success.php
session_start();
$_SESSION['myusername'] = $myusername;
$_SESSION['mypassword'] = $mypassword;
$_SESSION['level'] = $level;
// Redirect to appropriate page depending on user rights. Indicator 0 for user, 1 for admin.
if($_SESSION['level'] == 0)
{
//Admin Login
header("location:../php/admin.php");
}
if ($_SESSION['level']) == 1)
{
//Customer login
header("location:../login_success.php");
}
//flush the output buffer
ob_end_flush();
?>
示例 2:
// Define $myusername and $mypassword from the form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
$sql="SELECT * FROM users WHERE username='$myusername' and password='$mypassword' and level== '0'";
if($count==1){
$_SESSION["username"] = $username;
$_SESSION["password"] = $password;
$info = mysql_fetch_array($result);
if ($info['level'] == 0) {
header("location:../php/admin.php");
}
else
header("location:../index.html");
}
}
else {
echo "Incorrect password";
}
?>
任何帮助将不胜感激。
两段代码的工作方式相同。第二个代码块看起来干净得多。
但是,还有其他问题,您的查询对注入的保护为 0。如今,将PDO用于数据库连接是一种很好的做法。
http://au2.php.net/manual/en/class.pdo.php
此外,虽然标题很好,但您需要检查管理页面以确保它们是管理员。并确保对他们的密码进行哈希处理并与哈希进行比较。也不要在会话中存储密码。
http://us2.php.net/manual/en/function.hash.php
公平地说,第二个似乎要好得多,我在学校学习时修改了一些旧东西,所以这很可能不是最好的方法,但如果你想从中得到任何东西,它确实有效。
(正如上面那个家伙所说 - 在数据库中使用它们之前,一定要对值进行一些验证)
$username=$_POST['myusername'];
$password=$_POST['mypassword'];
#very simple checks
if(!preg_match("#^[A-Za-z0-9_ ]*$#",$username) or !preg_match("#^[A-Za-z0-9 _.,'-'@]*$#",$password)){
$fail="No matching records found";
}
else if(empty($username) or empty($password)){
$fail="All fields are required";
}
else{
#search for user
$sql="SELECT * FROM Users WHERE Username='".$username."' AND Password ='".$password."'";
$result = mysql_query($sql);
$num = mysql_numrows($result);
if($num==1){
#get values
while ($login = mysql_fetch_row($result, MYSQL_BOTH)) {
$_SESSION['username'] = $username;
$_SESSION['password'] = $password;
if($row['level'])==0){
$_SESSION['admin'] = True;
header("location:../php/admin.php");
}
else{
$_SESSION['admin'] = False;
header("location:../login_success.php");
}
}
}
else{
$fail = "No matching records found";
}
}