我只是新的PHP,几个星期自自学,使各种项目来学习如何做的事情......PHP会话(用户/管理员)的用户级别
我目前正在由基础工程的... 指数(登录页) 寄存器 家(用户级) 管理(管理水平) 注销 DBCONNECT
我有我的数据库列名为用户级0为默认,我将改变1用于管理帐户....
目前,任何登录用户都可以访问home.php页面,因为会话变量是'user',所以只要任何用户登录,他们就会返回home.php,否则返回索引如果登录无效....就像我说的我很新的PHP,并且今天才开始学习会话,所以它有点压倒性的...基本上我只是从家里粘贴相同的页面到管理员开始编辑会话的详细信息,以便它会只允许用户与用户级1访问管理别人回到指数....我的相关网页代码如下.....
的index.php(登录页)
<?php
\t ob_start();
\t session_start();
\t require_once 'dbconnect.php';
\t
\t // it will never let you open index(login) page if session is set
\t if (isset($_SESSION['user'])!="") {
\t \t header("Location: home.php");
\t \t exit;
\t }
\t
\t $error = false;
\t
\t if(isset($_POST['btn-login'])) { \t
\t \t
\t \t // prevent sql injections/ clear user invalid inputs
\t \t $email = trim($_POST['email']);
\t \t $email = strip_tags($email);
\t \t $email = htmlspecialchars($email);
\t \t
\t \t $pass = trim($_POST['pass']);
\t \t $pass = strip_tags($pass);
\t \t $pass = htmlspecialchars($pass);
\t \t // prevent sql injections/clear user invalid inputs
\t \t
\t \t if(empty($email)){
\t \t \t $error = true;
\t \t \t $emailError = "Please enter your email address.";
\t \t } else if (!filter_var($email,FILTER_VALIDATE_EMAIL)) {
\t \t \t $error = true;
\t \t \t $emailError = "Please enter valid email address.";
\t \t }
\t \t
\t \t if(empty($pass)){
\t \t \t $error = true;
\t \t \t $passError = "Please enter your password.";
\t \t }
\t \t
\t \t // if there's no error, continue to login
\t \t if (!$error) {
\t \t \t
\t \t \t $password = hash('sha256', $pass); // password hashing using SHA256
\t \t
\t \t \t $res=mysql_query("SELECT id, fname, pass FROM project WHERE email='$email'");
\t \t \t $row=mysql_fetch_array($res);
\t \t \t $count = mysql_num_rows($res); // if uname/pass correct it returns must be 1 row
\t \t \t
\t \t \t if($count == 1 && $row['pass']==$password) {
\t \t \t \t $_SESSION['user'] = $row['id']; \t
\t \t \t \t header("Location: home.php");
\t \t \t } else {
\t \t \t \t $errMSG = "Incorrect Credentials, Try again...";
\t \t \t }
\t \t \t \t
\t \t }
\t \t
\t }
?>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Sign In</title>
</head>
<body>
<form method="post" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>" autocomplete="off">
<input type="email" name="email" placeholder="Enter Your Email" value="<?php echo $email; ?>" maxlength="40" />
<?php echo $emailError; ?><br>
<br>
<input type="password" name="pass" placeholder="Enter Your Password" maxlength="15" />
<?php echo $passError; ?><br>
<br>
<button type="submit" name="btn-login">Sign In</button><br>
<br>
<br>
<a href="register.php">Register</a> <a href="index.php">Sign in</a> <a href="admin.php">Admin</a>
<br>
<?php
if (isset($errMSG)) {
?>
<?php echo $errMSG; ?>
<?php
}
?>
</body>
</html>
<?php ob_end_flush(); ?>
home.php
<?php
\t ob_start();
\t session_start();
\t require_once 'dbconnect.php';
\t
\t // if session is not set this will redirect to login page
\t if(!isset($_SESSION['user'])) {
\t \t header("Location: index.php");
\t \t exit;
\t }
\t // select loggedin users detail
\t $res=mysql_query("SELECT * FROM project WHERE id=".$_SESSION['user']);
\t $userRow=mysql_fetch_array($res);
\t
?>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Welcome - <?php echo $userRow['fname']; ?></title>
</head>
<body>
Hello <?php echo $userRow['fname']; ?> you are sucessfully logged in!
<br>Your last name is <?php echo $userRow['lname']; ?>
<br>Your email address is <?php echo $userRow['email']; ?>
<br><br><br><br><br><br><br><br><br><br>
<br><br><br><br><br><br><br><br><br><br>
<a href="logout.php?logout"></span>Sign Out</a></li>
<br>
<br>
<a href="register.php">Register</a> <a href="index.php">Sign in</a> <a href="admin.php">Admin</a>
</body>
</html>
<?php ob_end_flush(); ?>
admin.php的
<?php
\t ob_start();
\t session_start();
\t require_once 'dbconnect.php';
\t
\t
\t // if session is not set this will redirect to login page
\t if(!isset($_SESSION['user'])) {
\t \t header("Location: index.php");
\t \t exit;
\t }
\t // select loggedin users detail
\t $res=mysql_query("SELECT * FROM project WHERE id=".$_SESSION['user']);
\t $userRow=mysql_fetch_array($res);
\t
?>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Welcome - <?php echo $userRow['fname']; ?></title>
</head>
<body>
Hello <?php echo $userRow['fname']; ?> you are sucessfully logged in!
<br>Your last name is <?php echo $userRow['lname']; ?>
<br>Your email address is <?php echo $userRow['email']; ?>
<br><br><br><br><br><br><br><br><br><br>
<h1><?php echo $userRow['userlevel']; ?></h1>
<br><br><br><br><br><br><br><br><br><br>
<a href="logout.php?logout"></span>Sign Out</a></li>
<br>
<br>
<a href="register.php">Register</a> <a href="index.php">Sign in</a> <a href="admin.php">Admin</a>
</body>
</html>
<?php ob_end_flush(); ?>
如果有人能告诉我如何使会话查找到用户级行数据库拉存储的信息(0或1为用户或admin)以及如何相应地修改index.php(登录)页面,以及如何编辑admin.php以仅允许具有userlevel 1的登录用户查看页面?
很抱歉,如果这是含糊不清或所有的地方,我仍然只有找出新的东西,每天
感谢
如果您保存用户ID在Cookie中,如果ID是可以预见的话,我可能会成为只是改变了我的Cookie进行任何用户。因为这个原因,而不是存储用户ID,您通常会存储一些大的随机会话ID。 – Bemmu
注意,你会想停止使用'mysql_ *'库。它从PHP 7中删除,并被某些版本的PHP5 *弃用(尽管我不记得哪个版本的PHP5,它是无关紧要的)*。查看使用绑定参数切换到'mysqli_ *'或'PDO'以避免数据库操作/销毁。 – Rasclatt