开发者

Show content only if logged in

开发者 https://www.devze.com 2023-01-28 21:21 出处:网络
Hello I have a question. I have set up my login system with cookies and it works. Bu开发者_Go百科t I wonder is there a more clean version of doing this.

Hello I have a question. I have set up my login system with cookies and it works. Bu开发者_Go百科t I wonder is there a more clean version of doing this.

<?
include('../config/db_config.php');

$username = $_COOKIE['user'];
$password = $_COOKIE['pass'];

$result = mysql_query("SELECT * FROM users WHERE isadmin = 1");

while($row = mysql_fetch_array($result))
{
    if($username == $row['username'] && $password == $row['password'])
    {
        //User entered correct username and password
        echo("ALLOW");
    }
    else
    {
        //User entered incorrect username and password
        echo("DENY");
    }
}
?>

You see I want all my content to be shown ONLY if I am logged in as admin. So what, now only way of doing this would be ECHO'ing out my HTML/PHP/Javascript instead of echoing ALLOW because if I just include("somepage.php") there that page would still be avialable for usage without logging in, and even if I do same check there I still would be ECHO'ing out everything.


  • Why are you loading every user, then comparing the username and the password? Wouldn't be easier to load a single user matching the username and the password?

  • Loading a single user will allow to remove the while().

  • In PHP, don't use mysql_query; do use PDO (if need, google for it to know why it's better).

  • Check your input (quite optional here, I agree).

  • Do never store passwords in plain text format.

You can probably do something like (I haven't used PHP/PDO for years, so the code may be inexact):

if (strlen($username)> 128)
{
    // Something wrong. The username is too long.
}

$hash = sha1($password);
$sth = $dbh->prepare('if exists(select * from users where isadmin = 1 and username = :username and password = :password) select 1 else select 0');
$sth->bindParam(':username', $username, PDO::PARAM_STR, 128);
$sth->bindParam(':password', $hash, PDO::PARAM_STR, 40);
$sth->execute();
$isFound = $sth->fetchAll();
if ($isFound)
{
    // User entered correct username and password.
    echo 'ALLOW';
}


You could set a session variable on your login page (or any page that checks the login) that stores whether or not they're logged in and it will persist across pages. Then you can simple wrap your admin html in an if statement like so:

<?php
if ($_SESSION['isAdmin'] == true) {
?>
<p>My admin html</p>
<?php
} else {
?>
<p>My non-admin html</p>
<?php
}
?>

To save the info in a session, just add this to the part where you have echo("ALLOW");:
$_SESSION['isAdmin'] = true;

You'll also want to add session_start(); to the top of the script.


I would suggest that you do something like that only once, when the user first accesses the page, and then set a $_SESSION['is_admin'] or something for the rest of the time, so that you don't have to make an extra db call each page.


You could always put your "somepage.php" above the document root. This is a common way of preventing direct execution.

For example, if your webserver looks like 'project/public_html/index.php' put your admin-only include in 'project/somepage.php' then reference it using something like include("../somepage.php").

Obviously this will need adjustment according to the real paths you use.

0

精彩评论

暂无评论...
验证码 换一张
取 消