2

我需要根据数据库中赋予用户的角色将用户重定向到不同的页面。登录页面只提交用户名和密码。我必须从如下所示的数据库中获取角色:

username  |  password  |  role
xxxxxx       xxxxxx       admin
xxxxxx       xxxxxx       trainer
xxxxxx       xxxxxx       trainer
xxxxxx       xxxxxx       Line Manager

这是我的代码:

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form 
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword']; 


$sql="SELECT * FROM login WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){

     // Register $myusername, $mypassword and redirect to file "login_success.php"
     $role = mysqli_fetch_array($result);


      if($role == "Admin"){
        header("location:index.php");
            exit();
      }
      elseif($role['role'] == "Trainer"){
  header("location:index1.php");
        exit();
     }
      elseif($role['role'] == "Line Manager"){
  header("location:index2.php");
        exit();
     }
      elseif($role['role'] == "Client"){
  header("location:client.php");
        exit();
     }


  }
     else {
        echo "Wrong Username or Password"; 
     }
?>
4

1 回答 1

3

在您的代码中,第一if条语句检查$role,而其他语句检查$role['role']. 我的猜测是您正在尝试以“管理员”身份登录,这就是它不起作用的原因。

更新

你的代码比我最初意识到的要错误得多。

  1. 您正在将 mysql_* 函数与 mysqli_* 函数混合使用。这不仅是错误的,而且 mysql_* 函数已被弃用。您不应再使用它们

  2. 通过直接在您的选择语句中使用 POST 变量,您可以让自己对 SQL 注入开放。解决这个问题的方法是使用准备好的语句

免责声明:我已经有一段时间没有使用 mysqli 了,所以这里提供的代码可能包含错误。

<?php
// Connect to server and select database.
$db = new mysqli($host, $username, $password, $db_name);

if( $db->connect_errno ){
    die('Unable to connect to database [' . $db->connect_error . ']');
}

// username and password sent from form 
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

if ($stmt = $db->prepare("SELECT role FROM login WHERE `username`=? and `password`=?")) {
    /* bind parameters for username and password */
    $stmt->bind_param('ss', $myusername, $mypassword);

    /* execute query */
    $stmt->execute();
    
    // If result matched $myusername and $mypassword, table row must be 1 row
    if ($stmt->affected_rows == 1) {
        // bind the result to a variable
        $stmt->bind_result($role);
        $stmt->fetch();
        
        switch( $role ){

            case 'Admin':
                header("location:index.php");
                exit();

            case 'Trainer':
                header("location:index1.php");
                exit();

            case 'Line Manager':
                header("location:index2.php");
                exit();

            case 'Client':
                header("location:client.php");
                exit();

            default:
                echo "Wrong Username or Password";
        }
    
    }

    $stmt->close();
}

$db->close();

?>

我个人更喜欢PDO(如下图所示)。我还没有测试过代码,所以它也可能不完全准确,但它应该能让你走上正确的道路。

<?php
// username and password sent from form 
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

try {
    // Connect to server and select database.
    $db = new PDO("mysql:host=$host;dbname=$db_name", $username, $password);
    $db->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
    
    $stmt = $db->("SELECT *, COUNT(*) as count FROM login WHERE `username`=:user and `password`=:pass");
    $stmt->bindParam(':user', $myusername);
    $stmt->bindParam(':pass', $mypassword);
    
    if ($row = $sth->fetch(PDO::FETCH_ASSOC)) {
        $count = $row['count'];
        
        // If result matched $myusername and $mypassword, table must be 1 row
        if ($count == 1) {        
            switch( $row['role'] ){

                case 'Admin':
                    header("location:index.php");
                    exit();

                case 'Trainer':
                    header("location:index1.php");
                    exit();

                case 'Line Manager':
                    header("location:index2.php");
                    exit();

                case 'Client':
                    header("location:client.php");
                    exit();

                default:
                    echo "Wrong Username or Password";
            }
        }
    }
    
    $db = null;
}

catch(PDOException $e) {  
    echo $e->getMessage();  
}

?>

有关 PDO 的更多信息,请参阅:为什么应该使用 PHP 的 PDO 进行数据库访问

于 2013-07-26T09:16:27.163 回答