檢查用戶是否是管理員或不在PHP中

Question

我對PHP相當陌生，我試圖做我的學校任務，但老師只是說「谷歌它」，我認真找不到適合我的asnwer。

這裏是我的login.php（請原諒在其瑞典的音符，這些都是我的老師）

<?php //Start the Session 
session_start(); 
require('connect.php'); 
//3. If the form is submitted or not. 
//3.1 If the form is submitted 
if (isset($_POST['username']) and isset($_POST['password'])){ 
//Sätter form värderna i variabler 
$username = $_POST['username']; 
$password = $_POST['password']; 
//Kollar om variblerna redan finns i databasen 
$query = "SELECT * FROM `user` WHERE username='$username' and password='$password'"; 

$result = mysql_query($query) or die(mysql_error()); 
$count = mysql_num_rows($result); 
//Kollar om bägge värdena är likadana i databasen och sedan skapar sessionen om de är det. 
if ($count == 1){ 
$_SESSION['loggedin'] = 1; 
$_SESSION['username'] = $username; 
}else{ 
//3.1.3 Om värdena inte stämmer kommer ett fel medelande att skickas till användaren. 
echo "Invalid Login Credentials."; 
} 
} 
//Om han loggar in så skickas han vidare till protected.php 
if ($_SESSION['loggedin'] == 1) { 
header('Location: protected.php'); 
}else{ 
?> 

下面是你在（受保護的頁面），登錄後，所訪問的頁面

<?php 

    session_start(); 
    require('connect.php'); 
    // startar sessionen så att man kan använda session variablerna 
    // Inkluderar connect.php för att ansluta till databasen 


    if ($_SESSION['loggedin'] != 1) { 
     //Om loggedin är inte lika med 1 skickas han till första login sidan 

     header('Location: index.php'); 
     exit; 
    } 

?> 
<html> 
<head><title>Logged in!</title></head> 
<body>ASDSDFSDF<br><a href="logout.php">Log out</a><br> 
<?php 
    $sql = "SELECT admin FROM `user` WHERE username='$_SESSION['username']'"; 
    $result = mysql_query($sql); 
    $admin = mysql_fetch_array($result); 
    $_SESSION['admin'] = $admin['admin']; 
    if ($_SESSION['admin']) == 1 { 
    echo "You are an Admin!"; 
    }else{ 
    echo "You are a normal user"; 
    } 
?> 
</body> 
</html> 

我不明白這段代碼如何工作。 ：/

<?php 
     $sql = "SELECT admin FROM `user` WHERE username='$_SESSION['username']'"; 
     $result = mysql_query($sql); 
     $admin = mysql_fetch_array($result); 
     $_SESSION['admin'] = $admin['admin']; 
     if ($_SESSION['admin']) == 1 { 
     echo "You are an Admin!"; 
     }else{ 
     echo "You are a normal user"; 
     } 

Answer 1

試試這個代碼：

$sql = "SELECT admin FROM user WHERE username='".$_SESSION['username']."'"; // username='".$_SESSION['username']."'" instead username='$_SESSION['username']'"; 

$result = mysql_query($sql); 
$admin = mysql_fetch_array($result); 

$_SESSION['admin'] = $admin['admin']; 
if ($_SESSION['admin'] == 1) { // Be carefull you had if($_SESSION['admin']) == 1 { leaving "1" outside of the if 
echo "You are an Admin!"; 
}else{ 
echo "You are a normal user"; 
} 

注：告訴你的老師認爲是時候讓她停止教學mysql的，而是教的mysqli或PDO

Answer 2

不要擔心關於mysqli和其他評論，這段代碼對於學習目的來說工作得很好。這裏是一行一行的解釋：

$sql = "SELECT admin FROM `user` WHERE username='$_SESSION['username']'"; 
    $result = mysql_query($sql); 

執行一個sql查詢搜索用戶名存儲在會話['username']的用戶。它不會獲取所有列，只是管理列，它表示用戶是admin還是isnt。

$admin = mysql_fetch_array($result); 

這只是將sql結果加載到數組中。如果與存儲的用戶名的用戶被發現，這將是隻與一個布爾變量的數組：1或0

$_SESSION['admin'] = $admin['admin']; 

商店布爾變量到會話

if ($_SESSION['admin']) == 1 { 
     echo "You are an Admin!"; 
    }else{ 
     echo "You are a normal user"; 
    } 

打印操作的結果。

然而，有幾個警告。例如，如果用戶名不存在，會發生什麼情況。如果您收到一些錯誤，請嘗試打印所有內容併發送錯誤消息。

Answer 3

請再次檢查驗證碼：

$sql = "SELECT admin FROM `user` WHERE username='$_SESSION['username']'"; 

有可能2個錯誤的位置：

1. 不能插$ _SESSION在'「;
2. 在引用時，「$ _SESSION ['username']」應改爲「$ _SESSION [username]」;

總括來說，你可以使用下面的方法：

$sql = "SELECT admin FROM `user` WHERE username='".$_SESSION['username']."'"; 

通過這種方式，您可以保持有報價SQL的原始方法：

WHERE username='xxx' 

Answer 4

你的代碼是不是安全因爲：

• 您可以注射（mySql Injection）
• 您的密碼保存爲純文本

此外，我建議你使用MVC模式。

的login.php：

<?php 
session_start(); 
require("functions.php"); // file with your functions 

if ($_SESSION["logged"]) // if already logged, redirect to admin page 
    header("Location: ./admin.php"); 
else 
{ 
    if ($_SERVER["REQUEST_METHOD"] == "POST") 
    { 
     // logIn function in "functions.php" file, returns true if correctly logged 
     $login = logIn($_POST["user"], $_POST["password"]); 
     if ($login === true) 
     { 
      $_SESSION["logged"] = true; 
      header("Location: ./admin.php"); 
     } 
     else 
     { 
      // login failed, show error page 

      $error = $login; 
      // html code for header 
      require("templates/header.php"); 

      // html code for body that will display $error 
      require("templates/error_page.php"); 

      // html code for last part of the page 
      require("templates/footer.php"); 
     } 
    } 
    else 
    { 
     // No POST request, so the user must fill the form yet 

     require("templates/header.php"); 

     // Contains html code for login form 
     require("templates/login_form.php"); 

     require("templates/footer.php"); 
    } 
} 
?> 

的functions.php（文件用來存儲你的PHP函數）：

function logIn($username, $pass) 
{ 
    if ($username == "" || $pass == "") 
     return "Please, fill every text field."; 
    $pdo = connectToServer(); 

    $stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username");  
    $stmt->execute(array("username" => $username)); 

    $fetch = $stmt->fetch(); 

    $numberRows = $stmt->rowCount(); 
    if ($numberRows > 0) 
    { 
     // user exists, check for password 
     $crypted = hash('ripemd160', $fetch["salt"] . $pass); 
     /* NOTE: you must have encrypted passwords in the same way 
      at the moment of signing up. 
      Without encryption (not recommendable) you can use: 
      $crypted = $pass; 
     */ 

     if ($crypted == $fetch["pass"]) 
     { 
      // Logged, do whatever you want and return true 
      return true; 
     } 
     else 
      return "You have inserted a wrong username or password"; 
    } 
    else 
     return "You have inserted a wrong username or password"; 
}