我有一个登录脚本,它检查权限 id 是 5 = admin、6 = employee 还是 7 = student。
请检查以下内容:
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql = "SELECT * FROM users WHERE username='$myusername' and password='$mypassword'";
$result = mysql_query($sql);
// Mysql_num_row is counting table row
$count = mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
// Register $myusername, $mypassword and redirect to file "main.php"
$_SESSION["myusername"] = $myusername;
$_SESSION["mypassword"] = $mypassword;
while($count = mysql_fetch_assoc($result)) {
//echo $row['Username'];
//echo $row['access_level'];
if ($count['AuthorityId']== 5) {
//add custom content here for this user access level
header("location: adminpage.php");
exit();
} // end of if
else if ($count['AuthorityId']== 6 ){
//add custom content here for this user access level
header("location: employeepage.php");
exit();
} // end of else if
else{
header("location: studentpage.php");
exit();
}
} // end of while
}
else if( $myusername == '' || $mypassword == '' ){
echo '<script type="text/javascript">
alert("There are empty fields!");
</script>';
}
else {
echo '<script type="text/javascript">
alert("Wrong Username or Password")
</script>';
}
?>
当用户是管理员时,他会访问 adminpage.php,但是当我直接输入employeepage.php 的 url 时,用户可以访问它。如何限制用户访问其他页面?谢谢。