您所说的是rbac（角色库访问控制）。

if($account == "admin" && $rows['username'] = $username && $rows['password']=$password){
    $_SESSION['username'] = $username;
    $_SESSION['access'] = $account;
}

在需要管理员访问的页面上，您可能应该将用户重定向到主页或发送未经授权的访问消息。

if(isset($_SESSION['access']) && $_SESSION['access'] != 'admin') {
    header("Location: index.php");
}

此外，如果你正在寻找更多的控制的基础上的作用，我会建议你使用一个库，如http://phprbac.net/

似乎您正在尝试在您的网站上实现基于角色的访问控制。
下面是使用准备好的语句的可能实现：

<?php

// db.php should create a mysqli insance:
// $con = new mysqli("host", "username", "password", "databaseName"); 
require('db.php');
session_start();

if (isset($_POST['username']) && isset($_POST['password'])) {

    //Checking is user existing in the database or not
    $query = "SELECT * FROM users_detail WHERE username = ? and password = ?";

    //use prepared statement
    $stmt = $con->prepare($query);
    $stmt->bind_param('ss', $_POST['username'], $_POST['password']);
    $stmt->execute();
    $result = $stmt->get_result();

    if ($result->num_rows !== 0) {

        //fetch user from database.
        $user = $result->fetch_assoc();

        //check if user is an admin.
        if($user['account'] === "admin") {
            $_SESSION['username'] = $username;
            header("Location: admin.php"); //admin's page
        }

        //check if user is a normal user.
        if($user['account'] === "user") {
            $_SESSION['username'] = $username;
            header("Location: user.php"); //user's page
        }

    } else {
        echo '<div class="alert">Username/password is incorrect. Click <a href="login.php">here</a> to log-in.</div>';
    }
    //free memory used by the prepared statement.
    $stmt->close();
} else { 
    //username and password not provided.
}
?>

mysqli_num_rows($result) 返回行数。那以后呢 $result = mysqli_query($con,$query); 您需要使用 mysqli_fetch_array($query)

这是完整的解决方案，
1.在用户表中，需要为表中的每个用户创建列调用user\u角色admin或normal\u user

2在您的log.php中，首先获取数据库获取用户角色值，当您验证用户密码和db密码时，另存为session。

<?php 

      if( isset($_POST['login_btn'])){  // someone click login btn

    $username = clean($_POST['username']); 
    //clean is the custom function to remove all harmful code
    $password = clean($_POST['password']);

    // run query to get db username & password i am using prepare stmt for more secure , you can use mysqli_fetch_array , but need to implement mysql_real_escape_string for sql injection

    $stmt = mysqli_prepare($connection,"SELECT username,password,email,user_role FROM your table WHERE username = ? ");

    //$connection is your db connection 
    mysqli_stmt_bind_param($stmt, "s", $username);
    mysqli_stmt_execute($stmt);

    mysqli_stmt_bind_result($stmt, $bind_username,$bind_password,$bind_email,$bind_user_role);

    confirm($stmt); // confirm is also custom function to check query is successful execute
    while (mysqli_stmt_fetch($stmt)) {
        $db_username = $bind_username;;
        $db_password = $bind_password ;
        $db_email    = $bind_email ;
        $user_role   = $bind_user_role ;
    }

    //  do form validation           
    if($username =="" or $password =="" ){
        echo 'All Fileds Are Required'; 
    }elseif( $username !== $db_username ){
        echo 'username not existed';
    }else{
    if( password_verify($password, $db_password)){
    // assuming your using password_hash function to verify , or you can just use simply compare $password == db_password                                           
    // if password_verify return true meaning correct password then save all necessary sessions
    $_SESSION['username']         = $db_username ;
    $_SESSION['user_email']       = $db_email ;
    $_SESSION['user_role']        = $user_role ;

    // first method ->    header('Location: portal.php');      
    // you can now direct to portal page{1st method } where all admin or normal user can view 
    // or you can now do separate redirection (2nd method below )
    // remember $user_role  will == 'admin' or 'normal_user'
if( $user_role == 'admin' ){
    header('Location: page_admin_will_view.php');
}elseif(  $user_role == 'normal_user'  ){
    header('Location: page_normal_user_will_view.php');
}

    }else{
       echo 'incorrect password';
    }

 }                                  
    }  //  end of post request 

?>

3.普通用户不小心访问了管理员页面怎么办？我们已经考虑到这一点，并做了一些额外的工作，把下面的代码放在页面\u admin\u will\u view.php头中

<?php 
    if( isset($_SESSION['user_role'] )){ 
    // meaning user is logged in 
        if(  $_SESSION['user_role']  !== 'admin'){
        // meaning user_role is not amind , redirect to the page normal user belongs to
         header("Location: ../normal_users.php");
    }

    } else{
        //redirect to somewhere meaning user is not logged in
         header("Location: ../somewhere.php");
    }

?>

我希望这能帮助你，我正在使用它，它可能不是一个完美的解决方案。但对我来说很管用。哈哈

首先，创建管理员角色，就像用户登录时在会话中保存管理员角色时对$account所做的那样，

$admin_user = $_SESSION['admin_user'] ;
$normal_user = $_SESSION['normal_user'] ;

在管理站点中，比如admin.php，你不想让普通用户看到的页面写这个{完美地写在header.php}

if(isset($_SESSION['username'])){  
//meaning user is logged in
    if(isset($_SESSION['admin_user']) or isset($_SESSION['normal_user'])){

        if( $_SESSION['admin_user'] !== 'admin_user' ){
            header('Location: somewhere.php');

        }
    }
}else{
   //meaning user is not logged or session had terminated 
   header('Location: index.php');
}