php 管理员和普通用户登录系统PHP MYSQL
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/23082240/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Admin and normal user login system PHP MYSQL
提问by ajm
I have some code which attempts to check whether a user is an admin or normal user, and then compares it against an SQL table to determine which page opens up (admin page vs normal user page).
我有一些代码尝试检查用户是管理员还是普通用户,然后将其与 SQL 表进行比较以确定打开哪个页面(管理页面与普通用户页面)。
if (isset($_POST['submit']))
{
$user = $_POST['user'];
$pass = $_POST['pass'];
$admin = $_POST['admin'];
if( $user == "" || $pass == "")
{
echo '<div id ="errormsg">Please fill in all fields</div>';
}
else
{
$query = mysqli_query($dbcon, "SELECT * FROM users WHERE username = '$user'
and password = '$pass' and admin = '$admin' ") or die ("Can't query the database");
$count = mysqli_num_rows($query);
if($count == 1)
{
if ($admin == 1)
{
$_SESSION['username'] = $user;
header("location: admin.php");
}
else if ($admin == 0)
{
$_SESSION['username'] = $user;
header("location: users.php");
}
else
{
echo '<div id="errormsg">No matches, try again</div>';
}
}
}
}
There are no errors, however the admin value doesn't seem to make a difference and by default opens 'users.php'everytime. The $admin is a checkbox with value '1' when checked, the logic being to check this value against the database. Can anyone help solve this issue?
没有错误,但是 admin 值似乎没有什么区别,默认情况下'users.php'每次都会打开。$admin 是一个复选框,选中时值为“1”,逻辑是根据数据库检查此值。任何人都可以帮助解决这个问题吗?
This is the html form:
这是 html 表单:
<form action="<?=$_SERVER['PHP_SELF']?>" method="post">
<fieldset>
<label class="login">Username:</label><input type="text" name="user" /><br />
<label class="login">Password:</label><input type="password" name="pass" /><br />
<label class="login">Admin?:</label><input type="checkbox" value="1" name="admin" /><br/>
<input type="submit" name="submit" value="Login" />
</fieldset>
</form
回答by phoops
The error is how you check if user is admin:
错误是您如何检查用户是否为管理员:
if ($admin == 1)
Replace this with:
将其替换为:
if (isset($admin))
Also, you need to exitor dieafter using header():
此外,您需要exit或die在使用之后header():
if (isset($admin))
{
$_SESSION['username'] = $user;
header("location: admin.php");
exit;
} else {
$_SESSION['username'] = $user;
header("location: users.php");
exit;
}
回答by shashank
Try this one with some correction in database query-
尝试在数据库查询中进行一些更正
$query = mysqli_query($dbcon, "SELECT * FROM users WHERE username = '".$user."'' and password = '".$pass."''") or die ("Can't query the database");
Hope it will help.
希望它会有所帮助。
回答by steve
Firstly, you need to have a read up on mysql escaping / best practices. Your script here is vulnerable to SQL injection. There are plenty of good resources online, or search SQL injection PHPon here, to help explain this to you if unsure.
首先,您需要阅读 mysql 转义/最佳实践。您这里的脚本容易受到 SQL 注入的影响。网上有很多很好的资源,或者在此处搜索SQL 注入 PHP,如果不确定,可以帮助向您解释这一点。
How is the $_POST['admin']value set, can you post an example of your form here?
I'm guessing that the value being sent in isn't matching your conditions above so this is likely to be the cause.
$_POST['admin']值是如何设置的,您可以在此处发布表单示例吗?我猜测发送的值与您上面的条件不匹配,因此这可能是原因。
It could be as simple as changing your if statement to be ===rather than ==, but to be sure I'd need to see your form's source core.
它可能就像将 if 语句更改为===而不是一样简单==,但要确保我需要查看表单的源代码核心。
