drsqpko5286 2016-10-29 13:23 采纳率: 0%
浏览 52
已采纳

php - 登录重定向到同一页面,静态但不同的角色

After doing my SQL Schema (Different types of users redirected to same page (index.php) with different content), I'm starting to make my login system. I now have this:

function login($email,$password){

$mysqli = $this ->dbConnect();
if($mysqli){

    $strQuery = "SELECT USERS.ID, USERS.EMAIL, TYPES.NAME FROM `USERS` LEFT JOIN `TYPES` ON USERS.TYPEID = TYPES.ID WHERE `EMAIL` = '$email' AND `PASSWORD` = '$password'";
    $recordSet = $mysqli->query($strQuery);
    $row = $recordset->fetch_assoc();
    if($recordset->num_rows>0){
        $_SESSION['auth'] = $row['ID']; 
        $_SESSION['username'] = $row['EMAIL'];
        $_SESSION['type'] = $row['NAME'];
        header ("location:"index.php");
        return true;
    }
    //....
}

}

Does this look good? Is the query right? Any suggestions for improvement?

UPDATE

I have my login working now. And it's redirecting to index.php. But in index php I don't have acess to the $_SESSIONS variables i have stored on my function login. Is there any problem with the attribuitions? Placing the header inside the function not good? Thanks :)

  • 写回答

1条回答 默认 最新

  • duanmie9741 2016-10-29 14:05
    关注

    I summarized the previous comments.

    1. Issue: you didn't used the same variables

    function login($email,$password){ and $strQuery = " ... WHERE EMAIL = '$email' AND PASSWORD = '$password'";

    2. Recomendation: use the same namming convention

    On your SQL request you used two way to use fields: USERS.EMAIL and EMAIL = (with ` arround). Use the same. This will be easier for later & debugging.

    i.e.: of course, you should not use table.field each time. Not mandatory for example if you have only one table OR if the fields are not shared between them. For my perosnnal usage, I always use this table.field. This will prevent any future issue :)

    3. Protect your data from any injection

    Example:

    $post_email = isset($_POST['email']) ? htmlspecialchars($_POST['email']) : null;

    Alter call

    $this->login($post_email, ...)

    And finally use something like this to protect your data:

    $email = $mysqli->real_escape_string($email);

    and you are ready for your request:

    " SELECT [..] FROM users as u [...] WHERE u.email = '$email' "

    4. Or use specific functions

    Example (real_escape_string not needed anymore):

    $stmt = $dbConnection->prepare('SELECT * FROM users WHERE email = ? AND password = ?');
$stmt->bind_param('s', $email);
$stmt->bind_param('s', $password);

$stmt->execute();

$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
    // do something with $row
}

    http://php.net/manual/fr/class.mysqli.php

    5. Sessions

    If you want to activate sessions on a spacific page, the first code (at the first line) should be session_start().

    Calling this method will activate the sessions and load the $_SESSION variable with content.

    <?php // index.php
session_start(); // first line

// ... code
var_dump($_SESSION);
?>

    &

    <?php // page.php
session_start(); // first line

// ... code
$_SESSION['test'] = time();
Header('Location: index.php');
?>
    1. Visit index.php -> nothing on the debug
    2. Visit page.php -> you will be redirected on index.php
    3. On index.php -> you will have data

    Enjoy session :p

    6. Handle specific data

    To begin with, you should coose a way to store the credential access (ACL) for each user. For example, store on the database some values as 100001, and each number is a yes/no access for a specific action (binary access mode) ; another system is to store the level '1,2,3,4,5' ... or 'member,customer,admin, ...'. So many ways :)

    I will choose the USER.ACCESS = member|customer|admin solution

    On the login page

    // is user successfully logged
$_SESSION['access'] = $row['access']; // member|customer|admin
// Header('Location: index.php');

    On any page of your site:

    if( in_array($_SESSION['access'], ['member', 'admin']) ) {
  echo 'You are a member, you can see this part';
}

if( in_array($_SESSION['access'], ['customer', 'admin']) ) {
  echo 'You are a customer, you can see this part';
}

    Or

    if( checkAccess() ) {
  echo 'Welcome user !';

  if( checkAccess(['member', 'customer']) ) {
    echo 'This is a section for member, customer or admin :)';
  }

  if( checkAccess('member') ) {
    echo 'You are a member, you can see this part';
  }

  if( checkAccess('customer') ) {
    echo 'You are a customer, you can see this part';
  }
}

function checkAccess($types = null) {
  if( !isset($_SESSION['access']) )
    return false; // not logged

  if( is_null($types) )
    retun true; // if empty, provide info about loggin.

  // admin has always access to all sections of the website
  $hasAccess = in_array($_SESSION['access'], ((array) $types) + ['admin']);
  return $hasAccess; // user is logged + has accessor not ?
}

    Of course, you can also use includes

    if( checkAccess('member') ) {
  include 'secret_page_for_member.php';
}

    Or, at the begening of the included page:

    <?php
if( !checkAccess('admin') ) {
  return '403 - Not authorized';
  // die('403');
  // throw new Exception('403');
}
// your code
?>
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 如何在scanpy上做差异基因和通路富集?
  • ¥20 关于#硬件工程#的问题,请各位专家解答!
  • ¥15 关于#matlab#的问题:期望的系统闭环传递函数为G(s)=wn^2/s^2+2¢wn+wn^2阻尼系数¢=0.707,使系统具有较小的超调量
  • ¥15 FLUENT如何实现在堆积颗粒的上表面加载高斯热源
  • ¥30 截图中的mathematics程序转换成matlab
  • ¥15 动力学代码报错,维度不匹配
  • ¥15 Power query添加列问题
  • ¥50 Kubernetes&Fission&Eleasticsearch
  • ¥15 報錯:Person is not mapped,如何解決?
  • ¥15 c++头文件不能识别CDialog