php - 登录重定向到同一页面，静态但不同的角色

I summarized the previous comments.

1. Issue: you didn't used the same variables

function login($email,$password){ and $strQuery = " ... WHERE EMAIL = '$email' AND PASSWORD = '$password'";

2. Recomendation: use the same namming convention

On your SQL request you used two way to use fields: USERS.EMAIL and EMAIL = (with ` arround). Use the same. This will be easier for later & debugging.

i.e.: of course, you should not use table.field each time. Not mandatory for example if you have only one table OR if the fields are not shared between them. For my perosnnal usage, I always use this table.field. This will prevent any future issue :)

3. Protect your data from any injection

Example:

$post_email = isset($_POST['email']) ? htmlspecialchars($_POST['email']) : null;

Alter call

$this->login($post_email, ...)

And finally use something like this to protect your data:

$email = $mysqli->real_escape_string($email);

and you are ready for your request:

" SELECT [..] FROM users as u [...] WHERE u.email = '$email' "

4. Or use specific functions

Example (real_escape_string not needed anymore):

$stmt = $dbConnection->prepare('SELECT * FROM users WHERE email = ? AND password = ?');
$stmt->bind_param('s', $email);
$stmt->bind_param('s', $password);

$stmt->execute();

$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
    // do something with $row
}

http://php.net/manual/fr/class.mysqli.php

5. Sessions

If you want to activate sessions on a spacific page, the first code (at the first line) should be session_start().

Calling this method will activate the sessions and load the $_SESSION variable with content.

<?php // index.php
session_start(); // first line

// ... code
var_dump($_SESSION);
?>

&

<?php // page.php
session_start(); // first line

// ... code
$_SESSION['test'] = time();
Header('Location: index.php');
?>

1. Visit index.php -> nothing on the debug
2. Visit page.php -> you will be redirected on index.php
3. On index.php -> you will have data

Enjoy session :p

6. Handle specific data

To begin with, you should coose a way to store the credential access (ACL) for each user. For example, store on the database some values as 100001, and each number is a yes/no access for a specific action (binary access mode) ; another system is to store the level '1,2,3,4,5' ... or 'member,customer,admin, ...'. So many ways :)

I will choose the USER.ACCESS = member|customer|admin solution

On the login page

// is user successfully logged
$_SESSION['access'] = $row['access']; // member|customer|admin
// Header('Location: index.php');

On any page of your site:

if( in_array($_SESSION['access'], ['member', 'admin']) ) {
  echo 'You are a member, you can see this part';
}

if( in_array($_SESSION['access'], ['customer', 'admin']) ) {
  echo 'You are a customer, you can see this part';
}

Or

if( checkAccess() ) {
  echo 'Welcome user !';

  if( checkAccess(['member', 'customer']) ) {
    echo 'This is a section for member, customer or admin :)';
  }

  if( checkAccess('member') ) {
    echo 'You are a member, you can see this part';
  }

  if( checkAccess('customer') ) {
    echo 'You are a customer, you can see this part';
  }
}

function checkAccess($types = null) {
  if( !isset($_SESSION['access']) )
    return false; // not logged

  if( is_null($types) )
    retun true; // if empty, provide info about loggin.

  // admin has always access to all sections of the website
  $hasAccess = in_array($_SESSION['access'], ((array) $types) + ['admin']);
  return $hasAccess; // user is logged + has accessor not ?
}

Of course, you can also use includes

if( checkAccess('member') ) {
  include 'secret_page_for_member.php';
}

Or, at the begening of the included page:

<?php
if( !checkAccess('admin') ) {
  return '403 - Not authorized';
  // die('403');
  // throw new Exception('403');
}
// your code
?>