如何检查“检查”php代码或页面中的权限?
我使用爆炸和 in_array
用户登录并进入“检查”页面后,代码必须检查用户的权限是否具有“dataDisplay”权限。但“检查”页面中的代码不会执行此操作
我的“检查”页面代码有什么问题
这是我的数据库:
+--------------------+-------------------------------+
| username | user_privilege |
|--------------------|-------------------------------|
| amal |7gz,agt_courses,newbill |
| | |
+----------------------------------------------------+
| | |
| ahmed |dataDisplay,previllige,newUsers|
+----------------------------------------------------+
第一页“登录”php:
<?php
ob_start();
session_start();
include '../connection/connect.php';
$username = $_POST['username'];
$password = $_POST['password'];
if($username && $password ){
$finduser = mysqli_query($link,"SELECT * FROM LOGIN WHERE username = '".$username."' AND password = '".$password ."'") or die("error");
if(mysqli_num_rows($finduser) !=0){
while($row = mysqli_fetch_array($finduser)){
$uname = $row['username'];
$pass= $row['password '];
$arr=explode(",",$row['user_privilege']);
}
}
{
$_SESSION['sessionname'] =$uname;
$_SESSION['sessionpass'] =$password ;
$_SESSION['sessionpre'] =explode(",",$row['user_previllige']);
header ("location:../agtSite/agt2.php");
}
}
ob_end_flush();
?>
第二页“检查”php:
<?php
session_start();
$_SESSION['sessionpre']='';
$haspermission =in_array("dataDisplay",$_SESSION['sessionpre']);
if( $haspermission )
{
header("location: agt2.php");
}
else{header("location: ../display/display.php");}
?>
你忘了添加else块,如果正确缩进代码就可以避免这个问题。
确保仅在找到用户时才创建会话
if(mysqli_num_rows($finduser) !=0){
while($row = mysqli_fetch_array($finduser)){
$_SESSION['sessionname'] =$row['username'];
$_SESSION['sessionpass'] = $row['password '];
$_SESSION['sessionpre'] = explode(",",$row['user_previllige']);
header ("location: ../check.php");
}
}
else{
//could not find user
}
正如其他人在评论中指出的那样防止SQL注入 https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php.
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)
