我的查询不适用于待定和批准
my query is not working for pending and approve
if (isset($_POST['login_btn'])) {
$username = mysqli_real_escape_string($db, $_POST['username']);
$password = mysqli_real_escape_string($db, $_POST['password']);
if (empty($username)) {
array_push($errors, "Username is Required");
}
if (empty($password)) {
array_push($errors, "Password is Required");
}
if (count($errors) == 0) {
$password = md5($password);
$query = "SELECT * FROM request WHERE username='$username' AND password='$password' ";
$results = mysqli_query($db, $query);
if (mysqli_num_rows($results) == 1){
$logged_in_user = mysqli_fetch_assoc($results);
if ($logged_in_user['user_type'] == 'admin') {
$_SESSION['user'] = $logged_in_user;
$_SESSION['success'] = "Welcome Admin";
header('location: admin/home.php');
}elseif($logged_in_user['user_type'] == 'employee') {
$_SESSION['user'] = $logged_in_user;
$_SESSION['success'] = "Welcome Employee";
header('location: admin/employee.php');
}else{
$_SESSION['user'] = $logged_in_user;
$_SESSION['success'] = "Welcome User";
header('location: index.php');
}
}else {
array_push($errors, "Wrong username/password combination");
}
}
}
if (isset($_POST['login_btn'])) {
$username = mysqli_real_escape_string($db, $_POST['username']);
$password = mysqli_real_escape_string($db, $_POST['password']);
if (count($errors) == 0) {
$password = md5($password);
$query = "SELECT * FROM request WHERE username='$username' AND password = '$password'";
$check_user=mysqli_query($db,$query);
if (mysqli_num_rows($check_user)==1){
$approved_by_admin = mysqli_fetch_assoc($check_user);
if($approved_by_admin ["status"] =='approved'){
echo '<script type = "text/javascript">';
echo 'alert("Login Success!")';
echo 'window.location.href = "index.php"';
echo '</script>';
}
elseif($approved_by_admin ["status"] =='pending'){
echo '<script type = "text/javascript">';
echo 'alert("Your account is still pending for approval!")';
echo 'window.location.href = "login.php"';
echo '</script>';
}
}else{
echo "Wrong Combination";
}
}
}
我的批准和待定查询不起作用。
如果我删除对管理员、员工和用户的查询,它会起作用,但这不会起作用 echo 'window.location.href = "index.php"';
基本上我的代码不起作用,因为它会继续登录,即使用户的状态为待定且未经管理员批准。
等待和批准的 if (isset($_POST['login_btn'])) {
第二部分不工作
您需要将审批测试集成到现有的登录流程中。有两个独立的进程代码集是没有意义的,因为
a) 从数据库中查询两次相同的数据是低效的,并且
b) 在您开始检查第二部分之前,代码的第一部分已经设置了重定向。
我认为这会更有意义:
if (isset($_POST['login_btn'])) {
$username = mysqli_real_escape_string($db, $_POST['username']);
$password = mysqli_real_escape_string($db, $_POST['password']);
if (empty($username)) {
array_push($errors, "Username is Required");
}
if (empty($password)) {
array_push($errors, "Password is Required");
}
if (count($errors) == 0) {
$password = md5($password);
$query = "SELECT * FROM request WHERE username='$username' AND password='$password' ";
$results = mysqli_query($db, $query);
if (mysqli_num_rows($results) == 1){
$logged_in_user = mysqli_fetch_assoc($results);
if ($logged_in_user['user_type'] == 'admin') {
$_SESSION['user'] = $logged_in_user;
$_SESSION['success'] = "Welcome Admin";
header('location: admin/home.php');
exit();
}elseif($logged_in_user['user_type'] == 'employee') {
$_SESSION['user'] = $logged_in_user;
$_SESSION['success'] = "Welcome Employee";
header('location: admin/employee.php');
exit();
}else{
if($logged_in_user["status"] =='approved'){
$_SESSION['user'] = $logged_in_user;
$_SESSION['success'] = "Welcome User";
header('location: index.php');
exit();
}
else {
echo '<script type="text/javascript">';
echo 'alert("Your account is still waiting for approval!")';
echo 'window.location.href = "login.php"';
echo '</script>';
}
}
}else {
array_push($errors, "Wrong username/password combination");
}
}
}
P.S。在设置 Location
header 后,您应该始终 exit();
,这样就不会存在受保护内容在脚本后面被意外泄露的危险。
P.P.S。请不要使用过时的、不安全的 md5 算法存储密码——这是一种安全风险。了解 PHP 的 built-in、up-to-date,改为保护 password hashing and verification functions。
P.P.P.S。虽然 mysqli_real_escape_string
可以防止大多数 SQL 注入,但它并非万无一失。准备好的语句和参数是一种更安全且 up-to-date 安全编写查询的方式。请参阅 How can I prevent SQL injection in PHP 获取完整指南。
if (isset($_POST['login_btn'])) {
$username = mysqli_real_escape_string($db, $_POST['username']);
$password = mysqli_real_escape_string($db, $_POST['password']);
if (empty($username)) {
array_push($errors, "Username is Required");
}
if (empty($password)) {
array_push($errors, "Password is Required");
}
if (count($errors) == 0) {
$password = md5($password);
$query = "SELECT * FROM request WHERE username='$username' AND password='$password' ";
$results = mysqli_query($db, $query);
if (mysqli_num_rows($results) == 1){
$logged_in_user = mysqli_fetch_assoc($results);
if ($logged_in_user['user_type'] == 'admin') {
$_SESSION['user'] = $logged_in_user;
$_SESSION['success'] = "Welcome Admin";
header('location: admin/home.php');
}elseif($logged_in_user['user_type'] == 'employee') {
$_SESSION['user'] = $logged_in_user;
$_SESSION['success'] = "Welcome Employee";
header('location: admin/employee.php');
}else{
$_SESSION['user'] = $logged_in_user;
$_SESSION['success'] = "Welcome User";
header('location: index.php');
}
}else {
array_push($errors, "Wrong username/password combination");
}
}
}
if (isset($_POST['login_btn'])) {
$username = mysqli_real_escape_string($db, $_POST['username']);
$password = mysqli_real_escape_string($db, $_POST['password']);
if (count($errors) == 0) {
$password = md5($password);
$query = "SELECT * FROM request WHERE username='$username' AND password = '$password'";
$check_user=mysqli_query($db,$query);
if (mysqli_num_rows($check_user)==1){
$approved_by_admin = mysqli_fetch_assoc($check_user);
if($approved_by_admin ["status"] =='approved'){
echo '<script type = "text/javascript">';
echo 'alert("Login Success!")';
echo 'window.location.href = "index.php"';
echo '</script>';
}
elseif($approved_by_admin ["status"] =='pending'){
echo '<script type = "text/javascript">';
echo 'alert("Your account is still pending for approval!")';
echo 'window.location.href = "login.php"';
echo '</script>';
}
}else{
echo "Wrong Combination";
}
}
}
我的批准和待定查询不起作用。
如果我删除对管理员、员工和用户的查询,它会起作用,但这不会起作用 echo 'window.location.href = "index.php"';
基本上我的代码不起作用,因为它会继续登录,即使用户的状态为待定且未经管理员批准。
等待和批准的 if (isset($_POST['login_btn'])) {
第二部分不工作
您需要将审批测试集成到现有的登录流程中。有两个独立的进程代码集是没有意义的,因为
a) 从数据库中查询两次相同的数据是低效的,并且 b) 在您开始检查第二部分之前,代码的第一部分已经设置了重定向。
我认为这会更有意义:
if (isset($_POST['login_btn'])) {
$username = mysqli_real_escape_string($db, $_POST['username']);
$password = mysqli_real_escape_string($db, $_POST['password']);
if (empty($username)) {
array_push($errors, "Username is Required");
}
if (empty($password)) {
array_push($errors, "Password is Required");
}
if (count($errors) == 0) {
$password = md5($password);
$query = "SELECT * FROM request WHERE username='$username' AND password='$password' ";
$results = mysqli_query($db, $query);
if (mysqli_num_rows($results) == 1){
$logged_in_user = mysqli_fetch_assoc($results);
if ($logged_in_user['user_type'] == 'admin') {
$_SESSION['user'] = $logged_in_user;
$_SESSION['success'] = "Welcome Admin";
header('location: admin/home.php');
exit();
}elseif($logged_in_user['user_type'] == 'employee') {
$_SESSION['user'] = $logged_in_user;
$_SESSION['success'] = "Welcome Employee";
header('location: admin/employee.php');
exit();
}else{
if($logged_in_user["status"] =='approved'){
$_SESSION['user'] = $logged_in_user;
$_SESSION['success'] = "Welcome User";
header('location: index.php');
exit();
}
else {
echo '<script type="text/javascript">';
echo 'alert("Your account is still waiting for approval!")';
echo 'window.location.href = "login.php"';
echo '</script>';
}
}
}else {
array_push($errors, "Wrong username/password combination");
}
}
}
P.S。在设置 Location
header 后,您应该始终 exit();
,这样就不会存在受保护内容在脚本后面被意外泄露的危险。
P.P.S。请不要使用过时的、不安全的 md5 算法存储密码——这是一种安全风险。了解 PHP 的 built-in、up-to-date,改为保护 password hashing and verification functions。
P.P.P.S。虽然 mysqli_real_escape_string
可以防止大多数 SQL 注入,但它并非万无一失。准备好的语句和参数是一种更安全且 up-to-date 安全编写查询的方式。请参阅 How can I prevent SQL injection in PHP 获取完整指南。