I'm developing a Knowledge Management System in PHP + MySQL, Where I'm keeping Staff and Student in Different Table. Now I'm Facing some Problems in Session Management.
I can access student_profile.php?id=1
, if logged in as student, but if I change the url as staff_profile.php?id=1
, I will be logged in as Staff!
How do I solve this problem?
Also, can I put students and staff on same table? Is there any issue?
You may set different value (identity) for session key when user logged successfully.
In login.php
<?php
session_start();
if(user_is_student()) {
$_SESSION["usertype"]="student";
...
}
else
if(user_is_staff()) {
$_SESSION["usertype"]="staff";
...
}
?>
In staff and student profile pages, verify value of usertype
key.
staff.php
<?php
session_start();
$validUser=false;
if(isset($_SESSION["usertype"]))
{
if($_SESSION["usertype"]=="staff")
{
$validUser=true;
}
}
if(!$validUser) {
header("Location: login.php");
}
?>
It's perfectly ok to put students and staff on the same table. If they have similar attributes that is. These would be considered subclasses to say a "user". But what you are talking about is more authorization
. So you first need to verify that the user is a student or staff. If you find that the user is a student and goes to the staff url, then you need to redirect or simply deny access.
So, for example say you had this database setup.
User
/ \
Student Staff
Now you have 1 table called User. Everyone would be in here. There are a few ways to do this, you can create a new attribute (column) and it would simply be a boolean of some sort.
So your User table could look like
Userid | Name | Address | ... | Staff
Where
| Staff | = 1 or 0, depending on if they are a student or just staff.
This is probably the fastest way when making a query. Now if you need additional information for either one, simply create a Student and Staff table with the specific attributes for those. Then you would query the additional information when needed.
no problem. without a minor/major rewrite, no matter what else your code is doing, just put the "role" into the session and check the role before each query. role=staff or role=student. and dont use a cookie to hold that as they can be changed. check role every access.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.