时间戳

首页 > 解决方案 > 我的查询不适用于待处理和批准

php - 我的查询不适用于待处理和批准

问题描述

   if (isset($_POST['login_btn'])) {
      $username = mysqli_real_escape_string($db, $_POST['username']);
      $password = mysqli_real_escape_string($db, $_POST['password']);
    
      if (empty($username)) {
        array_push($errors, "Username is Required");
      }
      if (empty($password)) {
        array_push($errors, "Password is Required");
      }
    
      if (count($errors) == 0) {
            $password = md5($password);
    
            $query = "SELECT * FROM request WHERE username='$username' AND password='$password' ";
            $results = mysqli_query($db, $query);
    
            if (mysqli_num_rows($results) == 1){
                $logged_in_user = mysqli_fetch_assoc($results);
                if ($logged_in_user['user_type'] == 'admin') {
                    $_SESSION['user'] = $logged_in_user;
                    $_SESSION['success']  = "Welcome Admin";
                    header('location: admin/home.php'); 
    
                }elseif($logged_in_user['user_type'] == 'employee') {
                    $_SESSION['user'] = $logged_in_user;
                    $_SESSION['success']  = "Welcome Employee";
                    header('location: admin/employee.php'); 
                    
                }else{
                    $_SESSION['user'] = $logged_in_user;
                    $_SESSION['success']  = "Welcome User";
                    header('location: index.php');
                  }
            
            
            }else {
                array_push($errors, "Wrong username/password combination");
            }
        }
    }
    
    
    if (isset($_POST['login_btn'])) {
     $username = mysqli_real_escape_string($db, $_POST['username']);
      $password = mysqli_real_escape_string($db, $_POST['password']);
    
        if (count($errors) == 0) {
            $password = md5($password);
            
    
            $query = "SELECT * FROM request WHERE username='$username' AND password = '$password'";
           $check_user=mysqli_query($db,$query);
    
            if (mysqli_num_rows($check_user)==1){
               
                $approved_by_admin = mysqli_fetch_assoc($check_user);
                if($approved_by_admin ["status"] =='approved'){
                   echo '<script type  = "text/javascript">';
                   echo 'alert("Login Success!")';
                    echo 'window.location.href = "index.php"';
                    echo '</script>';
                   
                }
               elseif($approved_by_admin ["status"] =='pending'){
                   echo '<script type  = "text/javascript">';
                    echo 'alert("Your account is still pending for approval!")';
                    echo 'window.location.href = "login.php"';  
                    echo '</script>';
                    
               }
            }else{
                    echo "Wrong  Combination";
                }
        }
    }

我对批准和待处理的查询不起作用。

如果我删除对管理员、员工和用户的查询,它将起作用,但这不起作用echo 'window.location.href = "index.php"';

基本上我的代码不起作用,因为即使用户的状态处于待处理状态并且未经管理员批准,它也会继续登录。

待处理和批准的第二部分if (isset($_POST['login_btn'])) {不起作用

标签: phpsqlmysqli

解决方案

您需要将审批测试集成到现有的登录流程中。拥有两个独立的进程代码集是没有意义的,因为

a) 从数据库中两次查询相同的数据效率低下,并且 b) 代码的第一部分在您开始检查第二部分之前就已经设置了重定向。

我认为这将更有意义:

if (isset($_POST['login_btn'])) {
  $username = mysqli_real_escape_string($db, $_POST['username']);
  $password = mysqli_real_escape_string($db, $_POST['password']);

  if (empty($username)) {
    array_push($errors, "Username is Required");
  }
  if (empty($password)) {
    array_push($errors, "Password is Required");
  }

  if (count($errors) == 0) {
        $password = md5($password);

        $query = "SELECT * FROM request WHERE username='$username' AND password='$password' ";
        $results = mysqli_query($db, $query);

        if (mysqli_num_rows($results) == 1){
            $logged_in_user = mysqli_fetch_assoc($results);
            if ($logged_in_user['user_type'] == 'admin') {
                $_SESSION['user'] = $logged_in_user;
                $_SESSION['success']  = "Welcome Admin";
                header('location: admin/home.php'); 
                exit();
            }elseif($logged_in_user['user_type'] == 'employee') {
                $_SESSION['user'] = $logged_in_user;
                $_SESSION['success']  = "Welcome Employee";
                header('location: admin/employee.php'); 
                exit();
                
            }else{
              if($logged_in_user["status"] =='approved'){
                $_SESSION['user'] = $logged_in_user;
                $_SESSION['success']  = "Welcome User";
                header('location: index.php');
                exit();
              }
              else {
                echo '<script type="text/javascript">';
                echo 'alert("Your account is still waiting for approval!")';
                echo 'window.location.href = "login.php"';  
                echo '</script>';
              }
            }
        }else {
            array_push($errors, "Wrong username/password combination");
        }
    }
}

PS 你应该总是exit();在设置Location标题后立即,这样就不会有受保护的内容在脚本后面被意外泄露的危险。

PPS 请不要使用过时的、不安全的 md5 算法存储密码 - 这是一个安全风险。改为了解 PHP 内置的、最新的、安全的密码散列和验证功能

PPPS 虽然mysqli_real_escape_string可以防止大多数 SQL 注入,但它并非万无一失。准备好的语句和参数是一种更安全和最新的方式来安全地编写查询。有关详细指南,请参阅如何防止 PHP中的 SQL 注入。

推荐阅读