我有一个登录"系统",它有"用户"和"管理员"的角色,用户将被定向到功能有限的网站。和管理员,他/她将被定向到一个单独的网页并且工作正常。但我想添加另一个"角色"。这是我的源代码:
// attempt login if no errors on form
if (count($errors) == 0) {
$password = md5($password);
$query = "SELECT * FROM users WHERE username='$username' AND password='$password' LIMIT 1";
$results = mysqli_query($db, $query);
if (mysqli_num_rows($results) == 1) { // user found
// check if user is admin or user
$logged_in_user = mysqli_fetch_assoc($results);
if ($logged_in_user['user_type'] == 'admin') {
$_SESSION['user'] = $logged_in_user;
$_SESSION['success'] = "You are now logged in";
header('location: admin/home.php');
}else{
$_SESSION['user'] = $logged_in_user;
$_SESSION['success'] = "You are now logged in";
header('location: index.php');
}
}else {
array_push($errors, "Wrong username/password combination");
}
}
谢谢!
/* Somewhere else in your lib functions. */
function checkUsername ($username)
{
if ( strlen($username) >= 32 ) // I don't know your limits
return false;
// Others tests ...
return true;
}
if (count($errors) == 0) {
//$password = md5($password);
//$query = "SELECT * FROM users WHERE username='$username' AND password='$password' LIMIT 1";
//$results = mysqli_query($db, $query);
/* You should not do this !
1. md5() is deprecated, but if you are using it, it's still ok for learning purpose, but consider a better hash.
2. You should not compare directly username and password in the query, prefer to retrieve data from the user,
then test the password in PHP, it will add some extra security.
Then use a function to filter your username, like checking the length and/or authorized characters.
3. Use mysqli_real_escape_string(), prepared query is more reliable, automatic, ... But do the same.
4. You should not use "SELECT * ..." form, but rather the fields you really needs.
*/
if ( checkUsername($username) )
{
$query = 'SELECT * FROM users WHERE username = "'.mysqli_real_escape_string($db, $username).'" LIMIT 1;';
$results = mysqli_query($db, $query);
if (mysqli_num_rows($results) == 1) { // user found
// check if user is admin or user
$logged_in_user = mysqli_fetch_assoc($results);
/* Check the password here. TODO: use other hash than md5() */
if ( $logged_in_user['password'] === md5($password) )
{
//if ($logged_in_user['user_type'] == 'admin') {
// $_SESSION['user'] = $logged_in_user;
// $_SESSION['success'] = "You are now logged in";
// header('location: admin/home.php');
//}else{
// $_SESSION['user'] = $logged_in_user;
// $_SESSION['success'] = "You are now logged in";
// header('location: index.php');
//}
/* If you want more roles, just re-use $_SESSION['user']['user_type'] to define it. */
$_SESSION['user'] = $logged_in_user;
switch ($_SESSION['user']['user_type'])
{
case 'admin':
header('location: admin/home.php');
break;
case 'my_new_role':
header('location: admin/new_role_index.php');
break;
// case 'whatever' : // For a other role
default:
header('location: index.php');
break;
}
$_SESSION['success'] = "You are now logged in";
/* Always interrupt your script when you are doing a redirection,
* to prevent some code below to continue the execution. */
exit(0);
}
else
{
array_push($errors, "Wrong password !");
}
}
else
{
array_push($errors, "Unknown user !");
}
}
else
{
array_push($errors, "Invalid username !");
}
}