根据角色从数据库登录

你好像忘了问一个问题。

如果您在用户表中存储电工或房主的角色，为什么要在登录时要求用户选择他们是否是电工?这毫无意义。只需执行login并根据从users表中检索到的角色重定向用户。

你当前的代码非常容易受到SQL注入的影响。当你需要在SQL中使用用户输入时，你应该使用准备好的语句。

请参阅password_hash()和password_verify()以获得更好的处理密码的方法。一个不加盐的MD5密码肯定是不够的。

下面的例子并不是一个完美的例子，但它处理了上面提到的问题。它使用PDO而不是mysqli，因为我发现它更直观。它假设您的users表至少具有以下结构—

CREATE TABLE `users` (
`id` INT UNSIGNED NOT NULL PRIMARY KEY AUTO_INCREMENT,
`email` VARCHAR(200) NOT NULL,
`password` CHAR(60) NOT NULL,
`role` ENUM('Electrician', 'Homeowner') NOT NULL,
UNIQUE INDEX `uq_user_email` (`email`)
);

<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);
/* ENTER YOUR DB CREDS HERE */
$db_host = '';
$db_username = '';
$db_password = '';
$db_name = '';
$pdo = new PDO("mysql:dbname=$db_name;host=$db_host", $db_username, $db_password);
$errors = [];
$email = null;
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$email = filter_input(INPUT_POST, 'email', FILTER_SANITIZE_EMAIL);
$password = filter_input(INPUT_POST, 'password', FILTER_DEFAULT);
// I am not sure why I have left this in, but it's still here
$role_1 = filter_input(INPUT_POST, 'type_1', FILTER_DEFAULT, ['options' => ['default' => 'Homeowner']]);
if (empty($email)) {
array_push($errors, 'Email is required');
}
if (empty($password)) {
array_push($errors, 'Password is required');
}
if (empty($errors)) {
// Here we are preparing and executing the statement.
$stmt = $pdo->prepare('SELECT * FROM users WHERE email = :email');
$stmt->execute([':email' => $email]);
$result = $stmt->fetchAll(PDO::FETCH_OBJ);
if (count($result) === 1) {
$user = $result[0];
if (!password_verify($password, $user->password)) {
array_push($errors, 'Login failed! Please try again.');
} else {
// do other login stuff here, like writing the user to session
$_SESSION['user'] = $user;
// your redirects based on the role read from users table
if ($user->role === 'Homeowner'){
header('location: homeowner.php');
exit;
}
elseif ($user->role === 'Electrician') {
header('location: electrician.php');
exit;
}
}
} else {
array_push($errors, 'Login failed! Please try again.');
}
}
}
$errorStr = $errors ? '<div class="errors"><ul><li>' . implode('</li><li>', $errors) . '</li></ul></div>' : '';
?>
<!doctype html>
<html>
<head>
<style type="text/css">
label { display: block; }
div.errors { border: 1px solid red; }
</style>
</head>
<body>
<form method="post">
<label>
Email:
<input type="text" name="email" id="email" value="<?php echo $email; ?>">
</label>
<label>
Password:
<input type="password" name="password" id="password" value="">
</label>
<label class="selecttype"> Select if you're an Electrician
<input type="checkbox" name="type_1" value="Electrician">
<span class="checkmark"></span>
</label>
<input type="submit" name="submit" value="Login">
</form>
<?php echo $errorStr; ?>
</body>
</html>

这一小段代码是用来创建一个具有兼容密码哈希值的用户-

<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);
/* ENTER YOUR DB CREDS HERE */
$db_host = '';
$db_username = '';
$db_password = '';
$db_name = '';
$pdo = new PDO("mysql:dbname=$db_name;host=$db_host", $db_username, $db_password);
$stmt = $pdo->prepare("INSERT INTO users (`email`, `password`, `role`) VALUES (?, ?, ?)");
$password = password_hash('mySup3R53cr3Tp455w0Rd', PASSWORD_BCRYPT, ['cost' => 12]);
$stmt->execute(['test@test.com', $password, 'Electrician']);