Page protection does not work correctly for the Ad

2019-07-29 06:47发布

问题:

I posted a similar post of this whith a different code, but changed it a little now, and did not get an answers that I was hoping for (the answers did not help me much). I hope this is Ok, tell me if it is not. :)

I have been trying to make a page protection for the Administrator page, and I can not get it to work. I am sure this would not have been a problem if I was not new to PHP coding, hehe.

When a normal user with the type '0' is trying to access the administrator page, index_admin.php, the user will get redirected to the normal user page, index.php. And if the user have the type '1', then the user/admin will stay on the page.

Here is the code I have been trying to get working. (This file is required in index_admin.php and it is called index_admin_check.php).

index_admin_check.php :

<?php
    session_start();
?>

<?php
    $vert = "localhost";
    $brukarnamn = "root";
    $passord = "";
    $db_namn = "nettsidebunad";
    $tbl_namn = "kunde_register";

    // Connection to the MySQL database.
    mysql_connect("$vert", "$brukarnamn", "$passord") or die ("Kan dessverre ikkje koble til databasen.");
    mysql_select_db("$db_namn") or die ("Kan ikkje finna den ynkjande databasen.");
?>

<?php
if (isset($_SESSION['mittbrukarnamn'])) {

    $sql1 = "SELECT `type` FROM $tbl_namn";
    $rad1 = mysql_query($sql1);
    $type1 = mysql_fetch_row($rad1);

    if ($type1 == 0) {
        echo "You do not have access to this page.";
        //header("location: index.php");
    } else {
        echo "You have access to this page.";


    }
}
?>

Some of this text is in norwegian.

$vert = $host (in english)

$brukarnamn = $usernamn (in english)

$passord = $password (in english)

$db_namn = $db_name (in english)

$tbl_namn = $tbl_name (in english)

$_SESSION['mittbrukarnamn'] = $_SESSION['myusername'] (in english)

回答1:

Your SQL query is selecting all rows, because you don't have a WHERE clause. So, when you call mysql_fetch_row, it fetches the first row only.

You need to check the type of the user currently logged in

$sql1 = "SELECT `type` FROM $tbl_namn WHERE <user_name> = '$_SESSION[mittbrukarnamn]'";

Another suggestion would be to not use MYSQL, but MYSQLi, or PDO for database operations, since MYSQL is not maintained any more by PHP and will be deprecated completely in PHP 5.5.0. Some of MYSQL functions are deprecated already.

Edit : There's another problem in your code. mysql_fetch_row returns an array, so you will need to retrieve the value from your array.

if($type1['type'] == 0)

instead of

if($type1 == 0)


回答2:

As I seem to be answering with a lot today, I have an admin panel on github that seems to answer a lot of common questions about php logins. In your case, you would simply fetch type from your database and use that. Note that you must provide the WHERE statement in your SQL otherwise you will not have that user's information. You will have every piece of it in that table.

The following makes use of prepared queries. mysql_* functions are deprecated (no longer supported; see this SO question)

function get_user_array() {
    /* Does all of the heavy lifting for getting user stats. */
    $db = new db(); // where db() is an abstraction class that implements mysqli and adds login details.
    if (isset($_SESSION["id"])) {
        $sid = $_SESSION["id"];
        if ($query = $db->prepare("SELECT id, name, status FROM `users` WHERE id=?")) {
                $query->bind_param("i", $sid); // i = integer
                $query->execute();
                $query->bind_result($id, $name, $status);
                $query->fetch();
                $query->close();
                $db->close();
                return array("name" => $name, "status" => $status, "id" => $id);
        } else {
            return false;
        }
    } else {
        return false;
    }
}

My suggestion is also to use a user id, and find everything from the database. That way, if their username changes, the whole site doesn't blow up on their page load.


The actual comparison would be:

$user = get_user_array();
if (@$user["type"] != 'admin') { // @ error-handling will make it NULL anyway.
    header("Location: index.php"); // note: this must be sent BEFORE any output!
}

And the fast comparison to check if a normal user is logged in (if logged_in(), for instance):

$user = get_user_array();
if (!@$user["id"]) { // continue only if logged in
    // not logged in handle
}

Note: db() is this class (it is great to override the mysqli public functions to shorten code in the long run, provided you call the parent):

class db extends mysqli {
    public function __construct($a = DB_HOST,
                                $b = DB_USER,
                                $c = DB_PASS,
                                $d = DB_NAME,
                                $persistent = true) {
        if ($persistent) {
            parent::__construct("p:" . $a, $b, $c, $d);
        } else {
            parent::__construct($a, $b, $c, $d);
        }
    }
}