我的查询不适用于待定和批准

my query is not working for pending and approve

   if (isset($_POST['login_btn'])) {
      $username = mysqli_real_escape_string($db, $_POST['username']);
      $password = mysqli_real_escape_string($db, $_POST['password']);
    
      if (empty($username)) {
        array_push($errors, "Username is Required");
      }
      if (empty($password)) {
        array_push($errors, "Password is Required");
      }
    
      if (count($errors) == 0) {
            $password = md5($password);
    
            $query = "SELECT * FROM request WHERE username='$username' AND password='$password' ";
            $results = mysqli_query($db, $query);
    
            if (mysqli_num_rows($results) == 1){
                $logged_in_user = mysqli_fetch_assoc($results);
                if ($logged_in_user['user_type'] == 'admin') {
                    $_SESSION['user'] = $logged_in_user;
                    $_SESSION['success']  = "Welcome Admin";
                    header('location: admin/home.php'); 
    
                }elseif($logged_in_user['user_type'] == 'employee') {
                    $_SESSION['user'] = $logged_in_user;
                    $_SESSION['success']  = "Welcome Employee";
                    header('location: admin/employee.php'); 
                    
                }else{
                    $_SESSION['user'] = $logged_in_user;
                    $_SESSION['success']  = "Welcome User";
                    header('location: index.php');
                  }
            
            
            }else {
                array_push($errors, "Wrong username/password combination");
            }
        }
    }
    
    
    if (isset($_POST['login_btn'])) {
     $username = mysqli_real_escape_string($db, $_POST['username']);
      $password = mysqli_real_escape_string($db, $_POST['password']);
    
        if (count($errors) == 0) {
            $password = md5($password);
            
    
            $query = "SELECT * FROM request WHERE username='$username' AND password = '$password'";
           $check_user=mysqli_query($db,$query);
    
            if (mysqli_num_rows($check_user)==1){
               
                $approved_by_admin = mysqli_fetch_assoc($check_user);
                if($approved_by_admin ["status"] =='approved'){
                   echo '<script type  = "text/javascript">';
                   echo 'alert("Login Success!")';
                    echo 'window.location.href = "index.php"';
                    echo '</script>';
                   
                }
               elseif($approved_by_admin ["status"] =='pending'){
                   echo '<script type  = "text/javascript">';
                    echo 'alert("Your account is still pending for approval!")';
                    echo 'window.location.href = "login.php"';  
                    echo '</script>';
                    
               }
            }else{
                    echo "Wrong  Combination";
                }
        }
    }

我的批准和待定查询不起作用。

如果我删除对管理员、员工和用户的查询,它会起作用,但这不会起作用 echo 'window.location.href = "index.php"';

基本上我的代码不起作用,因为它会继续登录,即使用户的状态为待定且未经管理员批准。

等待和批准的 if (isset($_POST['login_btn'])) { 第二部分不工作

您需要将审批测试集成到现有的登录流程中。有两个独立的进程代码集是没有意义的,因为

a) 从数据库中查询两次相同的数据是低效的,并且 b) 在您开始检查第二部分之前,代码的第一部分已经设置了重定向。

我认为这会更有意义:

if (isset($_POST['login_btn'])) {
  $username = mysqli_real_escape_string($db, $_POST['username']);
  $password = mysqli_real_escape_string($db, $_POST['password']);

  if (empty($username)) {
    array_push($errors, "Username is Required");
  }
  if (empty($password)) {
    array_push($errors, "Password is Required");
  }

  if (count($errors) == 0) {
        $password = md5($password);

        $query = "SELECT * FROM request WHERE username='$username' AND password='$password' ";
        $results = mysqli_query($db, $query);

        if (mysqli_num_rows($results) == 1){
            $logged_in_user = mysqli_fetch_assoc($results);
            if ($logged_in_user['user_type'] == 'admin') {
                $_SESSION['user'] = $logged_in_user;
                $_SESSION['success']  = "Welcome Admin";
                header('location: admin/home.php'); 
                exit();
            }elseif($logged_in_user['user_type'] == 'employee') {
                $_SESSION['user'] = $logged_in_user;
                $_SESSION['success']  = "Welcome Employee";
                header('location: admin/employee.php'); 
                exit();
                
            }else{
              if($logged_in_user["status"] =='approved'){
                $_SESSION['user'] = $logged_in_user;
                $_SESSION['success']  = "Welcome User";
                header('location: index.php');
                exit();
              }
              else {
                echo '<script type="text/javascript">';
                echo 'alert("Your account is still waiting for approval!")';
                echo 'window.location.href = "login.php"';  
                echo '</script>';
              }
            }
        }else {
            array_push($errors, "Wrong username/password combination");
        }
    }
}

P.S。在设置 Location header 后,您应该始终 exit(); ,这样就不会存在受保护内容在脚本后面被意外泄露的危险。

P.P.S。请不要使用过时的、不安全的 md5 算法存储密码——这是一种安全风险。了解 PHP 的 built-in、up-to-date,改为保护 password hashing and verification functions

P.P.P.S。虽然 mysqli_real_escape_string 可以防止大多数 SQL 注入,但它并非万无一失。准备好的语句和参数是一种更安全且 up-to-date 安全编写查询的方式。请参阅 How can I prevent SQL injection in PHP 获取完整指南。