当前位置: 动力学知识库 > 问答 > 编程问答 >

html - php - Login redirecting to same page, static but different roles

问题描述:

After doing my SQL Schema (Different types of users redirected to same page (index.php) with different content), I'm starting to make my login system.

I now have this:

function login($email,$password){

$mysqli = $this ->dbConnect();

if($mysqli){

$strQuery = "SELECT USERS.ID, USERS.EMAIL, TYPES.NAME FROM `USERS` LEFT JOIN `TYPES` ON USERS.TYPEID = TYPES.ID WHERE `EMAIL` = '$email' AND `PASSWORD` = '$password'";

$recordSet = $mysqli->query($strQuery);

$row = $recordset->fetch_assoc();

if($recordset->num_rows>0){

$_SESSION['auth'] = $row['ID'];

$_SESSION['username'] = $row['EMAIL'];

$_SESSION['type'] = $row['NAME'];

header ("location:"index.php");

return true;

}

//....

}

}

Does this look good? Is the query right? Any suggestions for improvement?

UPDATE

I have my login working now. And it's redirecting to index.php. But in index php I don't have acess to the $_SESSIONS variables i have stored on my function login. Is there any problem with the attribuitions? Placing the header inside the function not good?

Thanks :)

网友答案:

I summarized the previous comments.

1. Issue: you didn't used the same variables

function login($email,$password){ and $strQuery = " ... WHERE EMAIL = '$email' AND PASSWORD = '$password'";

2. Recomendation: use the same namming convention

On your SQL request you used two way to use fields: USERS.EMAIL and EMAIL = (with ` arround). Use the same. This will be easier for later & debugging.

i.e.: of course, you should not use table.field each time. Not mandatory for example if you have only one table OR if the fields are not shared between them. For my perosnnal usage, I always use this table.field. This will prevent any future issue :)

3. Protect your data from any injection

Example:

$post_email = isset($_POST['email']) ? htmlspecialchars($_POST['email']) : null;

Alter call

$this->login($post_email, ...)

And finally use something like this to protect your data:

$email = $mysqli->real_escape_string($email);

and you are ready for your request:

" SELECT [..] FROM users as u [...] WHERE u.email = '$email' "

4. Or use specific functions

Example (real_escape_string not needed anymore):

$stmt = $dbConnection->prepare('SELECT * FROM users WHERE email = ? AND password = ?');
$stmt->bind_param('s', $email);
$stmt->bind_param('s', $password);

$stmt->execute();

$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
    // do something with $row
}

http://php.net/manual/fr/class.mysqli.php

5. Sessions

If you want to activate sessions on a spacific page, the first code (at the first line) should be session_start().

Calling this method will activate the sessions and load the $_SESSION variable with content.

<?php // index.php
session_start(); // first line

// ... code
var_dump($_SESSION);
?>

&

<?php // page.php
session_start(); // first line

// ... code
$_SESSION['test'] = time();
Header('Location: index.php');
?>
  1. Visit index.php -> nothing on the debug
  2. Visit page.php -> you will be redirected on index.php
  3. On index.php -> you will have data

Enjoy session :p

6. Handle specific data

To begin with, you should coose a way to store the credential access (ACL) for each user. For example, store on the database some values as 100001, and each number is a yes/no access for a specific action (binary access mode) ; another system is to store the level '1,2,3,4,5' ... or 'member,customer,admin, ...'. So many ways :)

I will choose the USER.ACCESS = member|customer|admin solution

On the login page

// is user successfully logged
$_SESSION['access'] = $row['access']; // member|customer|admin
// Header('Location: index.php');

On any page of your site:

if( in_array($_SESSION['access'], ['member', 'admin']) ) {
  echo 'You are a member, you can see this part';
}

if( in_array($_SESSION['access'], ['customer', 'admin']) ) {
  echo 'You are a customer, you can see this part';
}

Or

if( checkAccess() ) {
  echo 'Welcome user !';

  if( checkAccess(['member', 'customer']) ) {
    echo 'This is a section for member, customer or admin :)';
  }

  if( checkAccess('member') ) {
    echo 'You are a member, you can see this part';
  }

  if( checkAccess('customer') ) {
    echo 'You are a customer, you can see this part';
  }
}

function checkAccess($types = null) {
  if( !isset($_SESSION['access']) )
    return false; // not logged

  if( is_null($types) )
    retun true; // if empty, provide info about loggin.

  // admin has always access to all sections of the website
  $hasAccess = in_array($_SESSION['access'], ((array) $types) + ['admin']);
  return $hasAccess; // user is logged + has accessor not ?
}

Of course, you can also use includes

if( checkAccess('member') ) {
  include 'secret_page_for_member.php';
}

Or, at the begening of the included page:

<?php
if( !checkAccess('admin') ) {
  return '403 - Not authorized';
  // die('403');
  // throw new Exception('403');
}
// your code
?>
分享给朋友:
您可能感兴趣的文章:
随机阅读: