试图使PHP理解作为管理员登录
[英]trying to make php understand login as admin
问题描述
<?php
ob_start();
include 'connection.php';
$username = $_POST['username'];
$password = $_POST['password'];
$user_id = $_POST ['user_id'];
$query = "SELECT * FROM Register WHERE username= '$username' AND Password = '$password' AND user_id= '$user_id' ";
$result = mysqli_query($connection, $query) or exit("Error in the query: $query. " . mysqli_error());
$row = mysqli_fetch_assoc($result);
if ($row ) {
$_SESSION['username'] = $username;
echo '' . $username . '';
&& ($row ) {
$_SESSION['user_id'] = 1;
header('Location: AdminPage.php');
}
else if ($row ) {
$_SESSION['username'] = $username;
echo '' . $username . '';``
header('location:Login.php');
&& ($row ) {
$_SESSION['user_id'] = > 1;
header('Location: ProtectedPage.php');
}
else {
$_SESSION['error'] = 'User not recognised';
echo 'user not recognised';
header('location:Login.php');
}
即时通讯试图让我的PHP理解,如果user_id等于1,那么您是管理员,但是我不断收到大量错误,我知道即时通讯程序很容易受到SQL注入的侵害,因此不适用于实时互联网网站,这就是为什么其脆弱
1 个解决方案
解决方案1
1 已采纳 2014-04-24 15:16:52
我认为这是您想要的:
include 'connection.php';
$username = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT * FROM Register
WHERE username= '" . $connection->real_escape_string($username) . "'
AND Password = '" . $connection->real_escape_string($password) . "'";
$result = mysqli_query($connection, $query) or exit("Error in the query: $query. " . mysqli_error());
$row = mysqli_fetch_assoc($result);
if ($row) {
$_SESSION['username'] = $username;
$_SESSION['user_id'] = $row['user_id'];
if ($row['user_id'] == 1) {
header('Location: AdminPage.php');
} else {
header('Location: ProtectedPage.php');
}
} else {
$_SESSION['error'] = 'User not recognised';
echo 'user not recognised';
header('location:Login.php');
}
在AdminPage.php ,应检查用户是否是具有以下内容的管理员:
if (isset($_SESSION['user_id']) && $_SESSION['user_id'] == 1)
ProtectedPage.php只需要检查用户是否已登录:
if (isset($_SESSION['user_id']))
试图使登录识别管理员
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.