[英]User-role based login always redirect to the same page
I want to redirect users to different page based on their role using PHP. 我想根据用户使用PHP的角色将其重定向到其他页面。 But, the problem is, whoever the user, they'll always redirected to the same page (page where the first if-statement referred).
但是,问题是,无论用户是谁,他们总是将重定向到同一页面(第一个if语句所引用的页面)。
here's the code 这是代码
<?php
include("config.php");
session_start();
if($_SERVER["REQUEST_METHOD"] == "POST") {
$myusername = mysqli_real_escape_string($db,$_POST['username']);
$mypassword = mysqli_real_escape_string($db,$_POST['password']);
$sql = "SELECT * FROM user WHERE username = '$myusername' and password = '$mypassword'";
$result = mysqli_query($db,$sql);
$row = mysqli_fetch_array($result,MYSQLI_ASSOC);
$active = isset($row['active']);
$count = mysqli_num_rows($result);
$role = isset($row['role']);
if($role == 'admin'){
$link = 'admin.php';
}
elseif($role == 'user'){
$link = 'user.php';
}
elseif($role == 'expert'){
$link = 'expert.php';
}
else{
$link = '404.php';
}
if($count == 1) {
$_SESSION['username'] = $myusername;
header("Location: ".$link."");
exit();
}else {
$error = "Your Login Name or Password is invalid";
}
}
?>
So, if i replace admin.php on the first if statement with another page, the users will be redirected there. 因此,如果我用另一个页面替换第一个if语句上的admin.php,用户将被重定向到该页面。 I've followed solutions from different case, but it didnt work.
我已经从不同的案例中遵循了解决方案,但是没有成功。
This line 这条线
$role = isset($row['role']);
Sets $role
to true
or possibly false
but it definitely does not set it to the contents of $row['role']
将
$role
设置$role
true
或可能为false
但绝对不会将其设置为$row['role']
I would suggest removing that line completely it is not necessary as your if/elseif/else covers all the possible options quite nicely. 我建议您完全删除该行,因为您的if / elseif / else很好地涵盖了所有可能的选项。
It is also totally unnecesary to move a value from the $row
array into a scalar variable so this would be simpler 将值从
$row
数组移到标量变量中也是完全不必要的,这样会更简单
//$role = isset($row['role']);
if($row['role'] == 'admin'){
$link = 'admin.php';
} elseif($row['role'] == 'user'){
$link = 'user.php';
} elseif($row['role'] == 'expert'){
$link = 'expert.php';
} else{
$link = '404.php';
}
Unfortunately I have to mention that: Your script is at risk of SQL Injection Attack Have a look at what happened to Little Bobby Tables Even if you are escaping inputs, its not safe!
不幸的是,我不得不提到:您的脚本有遭受SQL注入攻击的风险。看看Little Bobby Tables发生了什么,即使您转义了输入,也不安全! Use prepared parameterized statements
使用准备好的参数化语句
It is also very dangerous storing plain text password on your database.
将纯文本密码存储在数据库中也是非常危险的。 The most likely attack vector on your database is internal staff.
数据库上最可能的攻击媒介是内部人员。 Therefore all passwords shoudl be HASHED.
因此,所有密码都应哈希。 PHP provides
password_hash()
andpassword_verify()
please use them.PHP提供
password_hash()
和password_verify()
请使用它们。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.