PHP 使用 Session 的多用户登录
PHP Multi-user Login with Session
我有 7 个用户级别。我将根据我的输入进行重定向(例如,我输入管理员的凭据,我将被重定向到管理页面),其他 6 个也是如此。我遇到的问题是,在成功登录后,如果我更改url 从 (localhost/admin/home.php) 到 (localhost/employee/home.php) 我现在可以访问员工的页面了。我想对此有所限制。或者可能是说 "Unauthorized user. Access denied." 之类的错误。这是我的代码。
index.php
<form action="checklog.php" method="POST">
<h1>Log in</h1>
<p>
<label for="username" class="uname" > Your email or username </label>
<input id="username" name="username" required="required" type="text" placeholder="myusername " minlength="2" />
</p>
<p>
<label for="password" class="youpasswd"> Your password </label>
<input id="password" name="password" required="required" type="password" placeholder="eg. X8df!90EO" minlength="2" />
</p>
<input type="submit" name="submit" value="Login">
</form>
<?php // To display Error messages
if(isset($_GET['err'])){
if ($_GET['err']==1){
echo "Invalid Credentials.";}
else if($_GET['err']==5){
echo "Successfully Logged out";}
else if ($_GET['err']==2){
echo "You're trying to access an unauthorized page.";
}
}
?>
</body>
checklog.php(这是我处理凭据的地方。)
<?php
require_once("db.php");
function check_input($r){
$r=trim($r);
$r=strip_tags($r);
$r=stripslashes($r);
$r=htmlentities($r);
$r=mysql_real_escape_string($r);
return $r;
}
if (isset($_POST['username'],$_POST['password'])){
$u=check_input($_POST['username']);
$p=md5(check_input($_POST['password']));
try{
$db=get_db();
$stmt=$db->prepare("SELECT * FROM users WHERE username=? && password=?");
$stmt->execute(array($u,$p));
$r=$stmt->fetch(PDO::FETCH_ASSOC);
if($r){
session_start();
$access_level=$r['access_level'];
$_SESSION['username']=$r['username'];
$_SESSION['access_level']=$access_level;
if ($access_level==0){
header("Location: admin/home.php");
}
if($access_level==1){
header("Location: user/home.php");
}
if($access_level==2){
header("Location: businesshead/home.php");
}
if($access_level==3){
header("Location: scm/home.php");
}
if($access_level==4){
header("Location: finance/home.php");
}
if($access_level==5){
header("Location: gm/home.php");
}
if($access_level==6){
header("Location: scma/home.php");
}
}
else{
header("Location:index.php?err=1");
}
}
catch(PDOException $e){
die("Database error: ".$e->getMessage());
}
}
else{
header("Location:index.php");
}
?>
假设这是我的管理页面 (admin.php)
<!DOCTYPE html>
<body>
Welcome!
</body>
</html>
提前致谢!
在所有页面的顶部使用这个代码
<?php if($_SESSION['type']==1){
header('index.php?msg=Admin Not Access This page');
}?>
您必须检查每个页面上的会话。将相关代码放在每个页面的顶部,如
管理页面
<?php
session_start();
if($_SESSION['type'] != 0){
echo "Unauthorized user. Access denied."
die; // stop further execution
} ?>
用户页面
<?php
session_start();
if($_SESSION['type'] != 1){
echo "Unauthorized user. Access denied."
die; // stop further execution
} ?>
我有 7 个用户级别。我将根据我的输入进行重定向(例如,我输入管理员的凭据,我将被重定向到管理页面),其他 6 个也是如此。我遇到的问题是,在成功登录后,如果我更改url 从 (localhost/admin/home.php) 到 (localhost/employee/home.php) 我现在可以访问员工的页面了。我想对此有所限制。或者可能是说 "Unauthorized user. Access denied." 之类的错误。这是我的代码。
index.php
<form action="checklog.php" method="POST">
<h1>Log in</h1>
<p>
<label for="username" class="uname" > Your email or username </label>
<input id="username" name="username" required="required" type="text" placeholder="myusername " minlength="2" />
</p>
<p>
<label for="password" class="youpasswd"> Your password </label>
<input id="password" name="password" required="required" type="password" placeholder="eg. X8df!90EO" minlength="2" />
</p>
<input type="submit" name="submit" value="Login">
</form>
<?php // To display Error messages
if(isset($_GET['err'])){
if ($_GET['err']==1){
echo "Invalid Credentials.";}
else if($_GET['err']==5){
echo "Successfully Logged out";}
else if ($_GET['err']==2){
echo "You're trying to access an unauthorized page.";
}
}
?>
</body>
checklog.php(这是我处理凭据的地方。)
<?php
require_once("db.php");
function check_input($r){
$r=trim($r);
$r=strip_tags($r);
$r=stripslashes($r);
$r=htmlentities($r);
$r=mysql_real_escape_string($r);
return $r;
}
if (isset($_POST['username'],$_POST['password'])){
$u=check_input($_POST['username']);
$p=md5(check_input($_POST['password']));
try{
$db=get_db();
$stmt=$db->prepare("SELECT * FROM users WHERE username=? && password=?");
$stmt->execute(array($u,$p));
$r=$stmt->fetch(PDO::FETCH_ASSOC);
if($r){
session_start();
$access_level=$r['access_level'];
$_SESSION['username']=$r['username'];
$_SESSION['access_level']=$access_level;
if ($access_level==0){
header("Location: admin/home.php");
}
if($access_level==1){
header("Location: user/home.php");
}
if($access_level==2){
header("Location: businesshead/home.php");
}
if($access_level==3){
header("Location: scm/home.php");
}
if($access_level==4){
header("Location: finance/home.php");
}
if($access_level==5){
header("Location: gm/home.php");
}
if($access_level==6){
header("Location: scma/home.php");
}
}
else{
header("Location:index.php?err=1");
}
}
catch(PDOException $e){
die("Database error: ".$e->getMessage());
}
}
else{
header("Location:index.php");
}
?>
假设这是我的管理页面 (admin.php)
<!DOCTYPE html>
<body>
Welcome!
</body>
</html>
提前致谢!
在所有页面的顶部使用这个代码
<?php if($_SESSION['type']==1){
header('index.php?msg=Admin Not Access This page');
}?>
您必须检查每个页面上的会话。将相关代码放在每个页面的顶部,如
管理页面
<?php
session_start();
if($_SESSION['type'] != 0){
echo "Unauthorized user. Access denied."
die; // stop further execution
} ?>
用户页面
<?php
session_start();
if($_SESSION['type'] != 1){
echo "Unauthorized user. Access denied."
die; // stop further execution
} ?>