我想知道如何使用程序风格检查用户是否登录以及用户权限是否正确。我是 PHP 新手。我尝试使用的代码如下,但它根本不起作用我不知道为什么:
这是登录脚本
<?php
session_start();
$local=$_POST["local"];
$locales = array('001', '002', '003', '004', '005', '006', '007', '008', '009', '010');
if (in_array($local, $locales)){include ''.$local.'/enlace.php';}
else {header('Location: index.php?error=7');}
$locatario=mysqli_real_escape_string($database,$_POST['personal']);
$seguridad=mysqli_real_escape_string($database,$_POST['clave']);
if (empty($locatario) || empty($seguridad)| empty($local)){header('Location: index.php?error=1');exit();}
if (preg_match("/[^A-Za-z0-9]/", $locatario)){header('Location: index.php?error=2');exit();}
if (preg_match("/[^A-Za-z0-9]/", $seguridad)){header('Location: index.php?error=3');exit();}
$locatarios = mysqli_query($database, "SELECT * FROM `locatarios` WHERE locatario='$locatario' LIMIT 1");
if(mysqli_num_rows($locatarios)==0){header('Location: index.php?error=4');exit;}
$informacion=mysqli_fetch_array($locatarios,MYSQL_ASSOC);
$criptologia=hash('sha256',$informacion['codificacion'].hash('sha256',$seguridad));
if($criptologia!=$informacion['seguridad']){header('Location: index.php?error=5');exit;}
$_SESSION['identificacion']=$informacion['locatario'];
if ($informacion['privilegio']=="VENTAS"){header('Location: '.$local.'/ventas/index.php?funcion=inicio');exit();}
else if($informacion['privilegio']=="ADMINISTRACION"){header('Location: '.$local.'/administracion/index.php?funcion=inicio');exit();}
else if($informacion['privilegio']=="BODEGA"){header('Location: '.$local.'/bodega/index.php?funcion=inicio');exit();}
else if($informacion['privilegio']=="SOPORTE"){header('Location: '.$local.'/soporte/index.php?funcion=inicio');exit();}
else if($informacion['privilegio']=="PROPIETARIO"){header('Location: '.$local.'/propietario/index.php?funcion=inicio');exit();}
else if($informacion['privilegio']=="CLIENTES"){header('Location: '.$local.'/clientes/index.php?funcion=inicio');exit();}
else {header('Location: index.php?error=6');exit();}
?>
用户登录后,我们检查登录 session 和权限,但出现错误
Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, array given in /home/local/public_html/001/propietario/index.php on line 10
<?php
session_start();
$identificar = $_SESSION['identificacion'];
include 'sistema/enlace.php';
$locatarios = mysqli_query($database, "SELECT * FROM `locatarios` WHERE locatario='$identificar' LIMIT 1");
$controlar = mysqli_fetch_array($locatarios, MYSQLI_ASSOC);
$privilegio = $controlar["privilegio"];
if ($privilegio=='PROPIETARIO'){}
else {header('Location: /no-privs.php');exit();}
while($locatario = mysqli_fetch_array($controlar))
{
?>
<html>
<head>
<title>ADMIN ZONE</title>
</head>
<body>
WELCOME <?php echo $locatario[privilegio]?>, YOU ARE ADMIN ON THIS SITE</div>
</body>
</html>
<?php
}
?>
最佳答案
好的。好吧,重新解释这一切是没有意义的,它已经在评论中完成了。
注意:您将需要修改 session 数组及其填充方式以及一些其他变量(如果需要)。
但是,您应该首先检查 session 数组是否已按照注释中的概述进行设置。
我将其与 your originally posted code 结合使用,因此您必须修改它以适合您语言中的实际代码。
在我自己的服务器上测试/工作:
<?php
session_start();
$DB_HOST = 'xxx';
$DB_USER = 'xxx';
$DB_PASS = 'xxx';
$DB_NAME = 'xxx';
$database = new mysqli($DB_HOST, $DB_USER, $DB_PASS, $DB_NAME);
if($database->connect_errno > 0) {
die('Connection failed [' . $database->connect_error . ']');
}
// here we check the user session name
$_SESSION['session_name'] = "John";
$identify_session = $_SESSION['session_name'];
$members = "SELECT * FROM `members` WHERE username='$identify_session' LIMIT 1";
$query = mysqli_query($database, $members);
$control = mysqli_fetch_array($query, MYSQLI_ASSOC);
// we check users privilege example ADMIN or MOD or USER
$privilege = $control["privileges"];
echo $privilege;
// because we are in admin page we show page or redirect him if no privilege
if ($privilege=='ADMIN')
{
// echo "You're in!";
}
else {
header('Location: /get_out.php');
exit();
}
if ($result = $database->query($members)) {
while ($locatario = $result->fetch_assoc())
{
?>
<html>
<head>
<title>ADMIN ZONE</title>
</head>
<body>
WELCOME <?php echo $locatario[username]?>, YOU ARE ADMIN ON THIS SITE</div>
</body>
</html>
<?php
} // brace for while loop
} // brace for if ($result = $database->query($members))
?>
<小时/>
脚注:
但是,这样做会让您对SQL injection持开放态度。 。使用mysqli
with prepared statements ,或PDO with prepared statements ,它们更安全。
关于php - 警告 : mysqli_fetch_array() expects parameter 1 to be mysqli_result, 数组给定 index.php 的第 10 行,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/29655093/