使用数据库的PHP用户/管理员登录

Question

以下代码用于我的管理登录页面，该页面在成功登录后重定向到仅管理页面。通过数据库值，我只需要管理员值为1的用户被授予访问权限，而管理员值为0的用户会收到类似于“无效的用户名或密码”的错误消息。请表示放置其他代码。

另外，请记住，我将代码和补丁放在一起，尽可能为我工作，所以我不太流利的PHP。任何帮助将非常感激。

DATABASE 
ID Username Password Admin 
1  John  ••••••  0 
2  Aaron  ••••••  1 

---

<?php 

    require("connect.php"); 

    // Re-display the username if they fail to enter correct password. 
    $submitted_username = ''; 

    // Determine whether the login form has been submitted 
    // If it has, run the login code, otherwise display form 
    if(!empty($_POST)) 
    { 
     // Retrieve the users info from the database using username 
     $query = " 
      SELECT 
       id, 
       username, 
       password, 
       salt, 
       email, 
       admin 
      FROM users 
      WHERE 
       username = :username 
     "; 

     // The parameter values 
     $query_params = array( 
      ':username' => $_POST['username'] 
     );  

     try 
     { 
      // Execute query against database 
      $stmt = $db->prepare($query); 
      $result = $stmt->execute($query_params); 
     } 


     catch(PDOException $ex) 
     { 
      die("Failed to run query: " . $ex->getMessage()); 
     } 

     $login_ok = false; 

     // Retrieve user data from database. If $row is false, username in not registered 
     $row = $stmt->fetch(); 
     if($row) 
     { 
      // Using the password submitted by the user and the salt stored in the database, 
      // we now check to see whether the passwords match by hashing the submitted password 
      // and comparing it to the hashed version already stored in the database. 
      $check_password = hash('sha256', $_POST['password'] . $row['salt']); 
      for($round = 0; $round < 65536; $round++) 
      { 
       $check_password = hash('sha256', $check_password . $row['salt']); 
      } 

      if($check_password === $row['password']) 
      { 
       // If they do, then we flip this to true 
       $login_ok = true; 
      }   
     } 

     // If the user logged in successfully, then we send them to the private members-only page 
     // Otherwise, we display a login failed message and show the login form again 
     if($login_ok) 
     { 
      // Here I am preparing to store the $row array into the $_SESSION by 
      // removing the salt and password values from it. Although $_SESSION is 
      // stored on the server-side, there is no reason to store sensitive values 
      // in it unless you have to. Thus, it is best practice to remove these 
      // sensitive values first. 
      unset($row['salt']); 
      unset($row['password']); 

      // This stores the user's data into the session at the index 'user'. 
      // We will check this index on the private members-only page to determine whether 
      // or not the user is logged in. We can also use it to retrieve 
      // the user's details. 
      $_SESSION['user'] = $row; 

      // Redirect the user to the private members-only page. 
      header("Location: index.php"); 
      die("Redirecting to: index.php"); 
     } 
     else { 
      // Tell the user they failed 
      $error = "Invalid Username or Password"; 

      // Show them their username again so all they have to do is enter a new 
      // password. The use of htmlentities prevents XSS attacks. You should 
      // always use htmlentities on user submitted values before displaying them 
      // to any users (including the user that submitted them). For more information: 
      // http://en.wikipedia.org/wiki/XSS_attack 
      $submitted_username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8'); 
     } 
    } 

?> 

Answer 1

也许这将工作： -

if($check_password === $row['password'] && $row['admin'] == 1) 
{ 
$login_ok = 1; 
}else 
{ 
$login_ok = 0; 
} 

OR

你可以改变你的查询

$query = " 
      SELECT 
       id, 
       username, 
       password, 
       salt, 
       email, 
       admin 
      FROM users 
      WHERE 
       username = :username 
       admin = 1 
     ";