mumba Posted December 10, 2010 Share Posted December 10, 2010 Hi everyone, am developing an application that has two views 1 for administrator and 1 for staff. Administrator can perform all application tasks and Staff can ONLY perform certain task. I have implemented sessions quite alright and are working. Now the problem is that when I login as Staff and then I change the URL to point to an administrator's page the application is allowing that, How can I prevent that from happening. Staff MUST NOT see administrators pages. Here is my login code, logout code and code am using to protect webpages below. Here is my login code <?php //start the session session_start(); $username=$_POST['username']; $password=$_POST['password']; $encrypted=md5($password); // set connection to database $hostname="localhost"; // Host name $mysql_server_username="root"; // Mysql username $server_password=""; // Mysql password $db_name="db_inventory"; // Database name $table = "tbl_users"; // Table name // Connect to server and select database. mysql_connect("$hostname", "$mysql_server_username", "$server_password")or die("cannot connect to database server"); mysql_select_db("$db_name") or die ("Couldn't select the database."); $admin=("select * from $table where username='$username' AND password='$encrypted' AND type = 'admin'"); $staff=("select * from $table where username='$username' AND password='$encrypted' AND type = 'staff'"); //check that at least one row was returned $adminresult=mysql_query($admin); $admincount = mysql_num_rows($adminresult); $staffresult=mysql_query($staff); $staffcount = mysql_num_rows($staffresult); if($admincount> 0){ $_SESSION['valid_user'] = $username ; header( "Location: main_menu.php" ); } else if($staffcount> 0){ $_SESSION['valid_user'] = $username ; header( "Location: staff/main_menu.php" ); } else { ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>title> | Login</title> </head> <body bgcolor="#FFFFFF" background-repeat:no-repeat; background="images/images1.jpg"> <div align="center"> <table width="800" height="501" border="0" cellpadding="1" cellspacing="1"> <tr> <td height="100"> </td> </tr> <tr> <td height="350"> <div align="center"> <form method="post" action="login_process.php"> <h4 align="center"><font color="red">Incorrect Username / Password ! Please Try Again</font></h4> <img name="" src=images/padlock_closed.gif width="34" height="32" alt="" /><br /><br /> <table width="314" border="0" cellspacing="1" cellpadding="1"> <tr> <td>Username:</td> <td><label> <input type="text" name="username" /> </label></td> </tr> <tr> <td>Password:</td> <td><label> <input type="password" name="password" /> </label></td> </tr> <tr> <td colspan="2"> <p> <input type="submit" name ="submit" value="Login" /> <input type="reset" value="Reset" /> </p> </td> </tr> </table> </form> </div> </td> </tr> <tr> <td height="100"> </td> </tr> </table> </div> </body> </html> <?php } ?> Here is my logout code <?php //start the session session_start(); //check to make sure the session variable is registered if(isset($_SESSION['valid_user'])){ //session variable is registered, the user is ready to logout session_unset(); session_destroy(); //the session variable isn't registered, the user shouldn't even be on this page header( "Location: index.php" ); } else { //check to see if the session variable is not registered if(!isset($_SESSION['valid_user'])){ //redirect to login page header( "Location: index.php" ); } } ?> Here is code I am using to protect pages <?php //start the session session_start(); //check to make sure the session variable is registered if(!isset($_SESSION['valid_user'])){ //redirect to login page header( "Location: index.php" ); } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title> | Main Menu</title> <link rel="stylesheet" type="text/css" href="css.css" /> </head> <body> <div id="tabsF"> <ul> <!-- CSS Tabs --> <li id="current"><a href="main_menu.php"><span>MAIN MENU</span></a></li> <li><a href="stockmaster.php"><span>STOCK MASTER</span></a></li> <li><a href="controlpanel.php"><span>CONTROL PANEL</span></a></li> <li><a href="logout.php"><span>LOGOUT</span></a></li> </ul> </div> </body> </html> Thank you. Quote Link to comment Share on other sites More sharing options...
schilly Posted December 10, 2010 Share Posted December 10, 2010 a lot of things you could do here. i would add another session var like user_type or something and either set it to 0 (staff) or 1 (admin) depending on the user login. then check that as well as valid_user for your authentication. use user_type >= access_level (0 or 1). this way admin can access staff area as well. Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted December 11, 2010 Share Posted December 11, 2010 Please don't post a wall of code without enclosing it in . . . tags. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted December 11, 2010 Share Posted December 11, 2010 Here is code I am using to protect pages... You need an exit; statement after the header() redirect to prevent the remainder of the code on the page from being processed. All any one would need to do is ignore the redirect and he has access to the 'protected' page. Quote Link to comment Share on other sites More sharing options...
Anti-Moronic Posted December 11, 2010 Share Posted December 11, 2010 Also, no need to do 2 sql queries for the $staff and $admin. Simply fetch user based on login details and check the user type after that. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.