php - 我的查询不适用于待处理和批准
问题描述
if (isset($_POST['login_btn'])) {
$username = mysqli_real_escape_string($db, $_POST['username']);
$password = mysqli_real_escape_string($db, $_POST['password']);
if (empty($username)) {
array_push($errors, "Username is Required");
}
if (empty($password)) {
array_push($errors, "Password is Required");
}
if (count($errors) == 0) {
$password = md5($password);
$query = "SELECT * FROM request WHERE username='$username' AND password='$password' ";
$results = mysqli_query($db, $query);
if (mysqli_num_rows($results) == 1){
$logged_in_user = mysqli_fetch_assoc($results);
if ($logged_in_user['user_type'] == 'admin') {
$_SESSION['user'] = $logged_in_user;
$_SESSION['success'] = "Welcome Admin";
header('location: admin/home.php');
}elseif($logged_in_user['user_type'] == 'employee') {
$_SESSION['user'] = $logged_in_user;
$_SESSION['success'] = "Welcome Employee";
header('location: admin/employee.php');
}else{
$_SESSION['user'] = $logged_in_user;
$_SESSION['success'] = "Welcome User";
header('location: index.php');
}
}else {
array_push($errors, "Wrong username/password combination");
}
}
}
if (isset($_POST['login_btn'])) {
$username = mysqli_real_escape_string($db, $_POST['username']);
$password = mysqli_real_escape_string($db, $_POST['password']);
if (count($errors) == 0) {
$password = md5($password);
$query = "SELECT * FROM request WHERE username='$username' AND password = '$password'";
$check_user=mysqli_query($db,$query);
if (mysqli_num_rows($check_user)==1){
$approved_by_admin = mysqli_fetch_assoc($check_user);
if($approved_by_admin ["status"] =='approved'){
echo '<script type = "text/javascript">';
echo 'alert("Login Success!")';
echo 'window.location.href = "index.php"';
echo '</script>';
}
elseif($approved_by_admin ["status"] =='pending'){
echo '<script type = "text/javascript">';
echo 'alert("Your account is still pending for approval!")';
echo 'window.location.href = "login.php"';
echo '</script>';
}
}else{
echo "Wrong Combination";
}
}
}
我对批准和待处理的查询不起作用。
如果我删除对管理员、员工和用户的查询,它将起作用,但这不起作用echo 'window.location.href = "index.php"';
基本上我的代码不起作用,因为即使用户的状态处于待处理状态并且未经管理员批准,它也会继续登录。
待处理和批准的第二部分if (isset($_POST['login_btn'])) {
不起作用
解决方案
您需要将审批测试集成到现有的登录流程中。拥有两个独立的进程代码集是没有意义的,因为
a) 从数据库中两次查询相同的数据效率低下,并且 b) 代码的第一部分在您开始检查第二部分之前就已经设置了重定向。
我认为这将更有意义:
if (isset($_POST['login_btn'])) {
$username = mysqli_real_escape_string($db, $_POST['username']);
$password = mysqli_real_escape_string($db, $_POST['password']);
if (empty($username)) {
array_push($errors, "Username is Required");
}
if (empty($password)) {
array_push($errors, "Password is Required");
}
if (count($errors) == 0) {
$password = md5($password);
$query = "SELECT * FROM request WHERE username='$username' AND password='$password' ";
$results = mysqli_query($db, $query);
if (mysqli_num_rows($results) == 1){
$logged_in_user = mysqli_fetch_assoc($results);
if ($logged_in_user['user_type'] == 'admin') {
$_SESSION['user'] = $logged_in_user;
$_SESSION['success'] = "Welcome Admin";
header('location: admin/home.php');
exit();
}elseif($logged_in_user['user_type'] == 'employee') {
$_SESSION['user'] = $logged_in_user;
$_SESSION['success'] = "Welcome Employee";
header('location: admin/employee.php');
exit();
}else{
if($logged_in_user["status"] =='approved'){
$_SESSION['user'] = $logged_in_user;
$_SESSION['success'] = "Welcome User";
header('location: index.php');
exit();
}
else {
echo '<script type="text/javascript">';
echo 'alert("Your account is still waiting for approval!")';
echo 'window.location.href = "login.php"';
echo '</script>';
}
}
}else {
array_push($errors, "Wrong username/password combination");
}
}
}
PS 你应该总是exit();
在设置Location
标题后立即,这样就不会有受保护的内容在脚本后面被意外泄露的危险。
PPS 请不要使用过时的、不安全的 md5 算法存储密码 - 这是一个安全风险。改为了解 PHP 内置的、最新的、安全的密码散列和验证功能。
PPPS 虽然mysqli_real_escape_string
可以防止大多数 SQL 注入,但它并非万无一失。准备好的语句和参数是一种更安全和最新的方式来安全地编写查询。有关详细指南,请参阅如何防止 PHP中的 SQL 注入。
推荐阅读
- javascript - 我如何从 web 服务中获取特定元素
- c++ - 我无法理解 ++i 行为的编程问题
- c# - 如何将 GET 请求从 Internet Explorer 发送到 Asp.Net Core API?
- java - Android Enum:使用 R8 生成 AAR 二进制文件并在客户端应用程序中引发“函数调用'name()'”异常
- image - FLUTTER:使用中值滤波器混合图像
- javascript - 如何在 React 中操作来自 api 调用的数据?
- gcov - 无法在跨配置文件环境中生成 gcda 文件
- javascript - 错误:未捕获(承诺中) ReferenceError:未定义 React
- ghdl - Cocotb 和 ghdl 版本不匹配?
- c++ - (编译opencv2.4)Makefile:165:目标“全部”的配方失败