1

我有这个脚本运行良好。但是我对 utype_id 可以访问其他 utype_id 有问题。如何对其进行身份验证以使其utype_id=1无法访问utype_id=2?代码如下。

<?php
session_start();

include('includes/connection.php');

$username=$_POST['username'];
$password=$_POST['password'];

if(!empty($username) && !empty($password))
{

    $command="select * from user WHERE  username = '".$username."' and password='".$password."'";

    $result1=mysql_query($command);
    $count=mysql_num_rows($result1);

    $utype_id = "SELECT utype_id FROM user WHERE username='$username'";
    $result2 = mysql_query($utype_id);
    $result3 = mysql_fetch_row($result2);

    if($count==0)
    {
        header("location:loginform.php?attempt=fail");
    }
    else {
        $sql="select * from user WHERE username='".$username."'";
        $result=mysql_query($sql);
        while($row=mysql_fetch_row($result)){

            $_SESSION["id"]=$row[0];
            $_SESSION["username"]=$row[5];
            $_SESSION["name"]=$row[2];

            switch($result3[0]){

            case '1':
                header("location: module1/index.php");
                break;

            case '2':
                header("location: module2/index.php");
                break;

            case '3':
                header("location:loginform.php?attempt=unauthorized");
                break;
            }
        }
    }
}
else
{
    header("location:loginform.php?attempt=null");
}
?>
4

1 回答 1

1

遵循代码剪切额外查询和长脚本 

            include('includes/connection.php');

            $username=$_POST['username'];
            $password=$_POST['password'];

            $location = 'loginform.php?attempt=null';

            if(!empty($username) && !empty($password))
            {

            $command="select * from user WHERE  username = '".$username."' and password='".$password."'";
            $result=mysql_query($command);

            $location = 'loginform.php?attempt=fail';
            if(mysql_num_rows($result) > 0 {
                $frUser = mysql_fetch_array($result, MYSQL_BOTH);
                $_SESSION["id"]=$frUser['id']; // Change the name here
                $_SESSION["username"]=$frUser['username'];// Change the name here
                $_SESSION["name"]=$frUser['name'];  // Change the name here
                $utypeId = $frUser['utype_id'];
                switch($utypeId) {
                case '1':
                    $location = 'module1/index.php';
                break;
                case '2':
                    $location = 'module2/index.php';
                break;
                case '3':
                    $location = 'loginform.php?attempt=unauthorized';
                break;
                }   
            }
            }
            header("location:".$location);
            ?>
于 2015-02-04T08:57:35.050 回答