douba05167 2016-10-02 20:03
浏览 32
已采纳

布尔SQL和PHP验证

I have a column in a table (users) called admin and its datatype is boolean. Two users are set to "true"

My objective is when those two log in, they have acess to the back office, but so far the code isn't working:

   <?php

    session_start();

    $error="";
    $successMessage="";



    if ($_POST){
    if(!isset($_POST["salada"]) || $_POST["salada"]===""){
    $error = "PHP: An email is required <br>";
    }



    if(!isset($_POST["arroz"]) || $_POST["arroz"]===""){
    $error .= "PHP: A password is required";
    }

    if ($error !=""){
    $error = '<div class="error-login">'.$error.'</div>';


    }else {

    require("MGconfig.php");


    $email = mysqli_real_escape_string($connection, $_POST["salada"]);
    $pwd = md5(mysqli_real_escape_string($connection, $_POST["arroz"]));


    $result = mysqli_query($connection, "select name, id from users where     email = '".$email."' and password = '".$pwd."'");


    if (mysqli_num_rows($result) !==1){
        $error='<div class="error-login">PHP: Invalid email or   password</div>';
        header("Location:index.php?error=".$error);

    }else {

            $nome = mysqli_fetch_row($result);

            $_SESSION["name"] = $nome[0];
            $_SESSION["id"]=$nome[1];



            header ("Location: main.php");
        }
      }


    }

   ?>

 <?php

  if($_SESSION['admin'] !=0){

        header ("Location:admin.php");       
    }?>

Can someone tell me why isnt working? Is Syntax? If I compara the field "name", the restriction works...Thanks in advance!

  • 写回答

1条回答 默认 最新

  • dongshanni1611 2016-10-02 20:59
    关注

    The problem is, you haven't selected admin column in the SELECT query, you have only selected id and name columns. Plus, there's nowhere you're checking whether the logged in user is admin or not.

    So the solution is, select the admin column in your SELECT query and make use of that column value to check whether the logged in user is admin or not, like this:

    // your code
    
    $result = mysqli_query($connection, "select name, id, admin from users where email = '".$email."' and password = '".$pwd."'");
    
    if (mysqli_num_rows($result) !== 1){
        $error='<div class="error-login">PHP: Invalid email or   password</div>';
        header("Location:index.php?error=".$error);
    }else{
        $nome = mysqli_fetch_row($result);
        $_SESSION["name"] = $nome[0];
        $_SESSION["id"] = $nome[1];
        if($nome[2]){
            // logged in user is admin
            $_SESSION["admin"] = true;
        }else{
            // logged in user is not admin
            $_SESSION["admin"] = false;
        }
        header ("Location: main.php");
        exit();
    }
    
    // your code
    

    Sidenote: Learn about prepared statements because right now your query is susceptible to SQL injection. Also see how you can prevent SQL injection in PHP.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 display:none;样式在嵌套结构中的已设置了display样式的元素上不起作用?
  • ¥15 arduino控制ps2手柄一直报错
  • ¥15 使用rabbitMQ 消息队列作为url源进行多线程爬取时,总有几个url没有处理的问题。
  • ¥15 求chat4.0解答一道线性规划题,用lingo编程运行,第一问要求写出数学模型和lingo语言编程模型,第二问第三问解答就行,我的ddl要到了谁来求了
  • ¥15 Ubuntu在安装序列比对软件STAR时出现报错如何解决
  • ¥50 树莓派安卓APK系统签名
  • ¥65 汇编语言除法溢出问题
  • ¥15 Visual Studio问题
  • ¥20 求一个html代码,有偿
  • ¥100 关于使用MATLAB中copularnd函数的问题