4

Can anyone help me?

Im still newbie in using most of the php stuff here. I kinda having a problem with creating multi users using session.

What I want to do is this. An account exclusive only of admin and an account only for normal users.

Admin privileges will be able to access pages for admins only while normal users who logs in, will be able to access pages meant for users only.

So far Ive created a single user login credentials. Which is for admins only. Im really confused how do I add non-admin in order to access pages only for them.

Can anyone help me with this code?

This is the home page

<?php

//Initialize Session
session_start();

error_reporting(E_ALL ^ E_NOTICE);

//$name = $_SESSION['username'];
if(isset($_SESSION['username']))
    {
        header('Location: index_admin.php');
    }
?>

This is the admin page

<?php
// Inialize session
session_start();

// Check, if username session is NOT set then this page will jump to login page
if (!isset($_SESSION['username']))
    {
        header('Location: index.php');
    }
?>

This is the login form

<form action="login.php" method="post">

                            <input type="text" name="uname"     placeholder="USERNAME . . . "  autofocus/>
                            <br/>
                            <input type="password" name="pword"     placeholder="PASSWORD . . . " />
                            <br/>
                            <center><input type="submit" name="submit"     value="LOGIN" /><button type="reset" value="Reset" />RESET</button></center>

</form>

This is the login.php

<?php
session_start();

include("config.php");

$login = mysql_query("SELECT * FROM users WHERE (username = '" .     mysql_real_escape_string($_POST['uname']) . "') and (password = '" .     mysql_real_escape_string($_POST['pword']) . "')");
// Check username and password match
if (mysql_num_rows($login) == 1)
    {
        // Set username session variable
        $_SESSION['username'] = $_POST['uname'];

        // Jump to secured page
        header('Location: index_admin.php');
    }
else 
    {

        // Jump to login page

        header('Location: index.php');

    }
    ?>

This is the database

user_tbl


id = 1


username = admin


password = 12345

Thanks in advance for the assitance.

Improve this question
1
  • Please! Stop using mysql_ apis, especially for security applications. If you use them on the public network, your site will be pwned. Commented Feb 27, 2014 at 13:20

4 Answers 4

Reset to default
2

It seems from your question that you'll use the same login page for both administrative users and non-administrative users. That's the case for which I'll offer an answer.

In the process of validating a particular user's name and password, you need to determine what privilege level that user has been granted. You might have a column called "privilege" in your user table.

usr_tbl needs to look something like this:

 id    username     password    privilege
  1      admin      W$^%^$%^%^%  admin
  2      reggel     DJDT&646364  user
  3      ollie      DTHDHFGEERT  user

Upon login, you'l read the usr_table and pull that user's value out of the column and store it as a session variable something like this:

 $_SESSION['privilege'] = $privilege; /* from user table */

Then you can do logic like this to decide what your user should see, and what she should be able to do.

 if ( 'admin' == $_SESSION['privilege'] ) {
    // Jump to secured page
    header('Location: index_admin.php');
 }
 else {

    // Jump to login page
    header('Location: index.php');
}

In later page views, if your session logic is functioning correctly, the $_SESSION['privilege'] variable should continue to be available.

p.s. mysql_ APIs for security code? Really?

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1
  • You need to add a new field in your database for user type (admin/normal_user).
  • In your login script save the user type in session (admin/normal_user).
  • Now on every top of page check the session value of user type if it is admin let the page open and if it is normal_user redirect page to login.
Improve this answer

Comments

0

ideally you need to expand on the data structure serving this code: Set up a table of users and a table of groups; the groups will imply access rights. When you submit the login page, check the database for the username, then:-

1) If no match, return to "access denied" screen

2) if match, xref with groups table to determine privilege level of this user. Then:- 2a) if admin, return to admin screen, setting appropriate session vars to store that decision. 2b) Else, return to normal user screen, ditto setting appropriate session vars.

Your core problem is that upon entering "the" homepage, you are simply checking if the username is set, and then taking the user to the admin screen. This is wrong. Try to split out your logic into smaller simpler steps, and consider the "if-else" logic in human terms. "What do I want to happen?" then "What do I need to know to ascertain how to do that?".

Good luck!

Improve this answer

Comments

0

I use the same but I got one error

This page does not work local host has redirected you too often. Try clearing your cookies. ERR_TOO_MANY_REDIRECTS

    <?php

// Include config file
require_once "config.php";

// Initialize the session
session_start();

// Check if the user is logged in, if not then redirect him to login page
if(!isset($_SESSION["loggedin"]) || $_SESSION["loggedin"] !== true){
    header("location: login.php");
    exit;
}

$_SESSION['privilege'] = $privilege; /* from user table */

if ( 'admin' == $_SESSION['privilege'] ) {
    // Jump to secured page
    header('Location: index_admin.php');
 }
 else {

    // Jump to login page
    header('Location: index.php');
}

?>

<?php include "theme/header.tpl"; ?> 

    <div class="page-header">
        <h1>Hi, <b><?php echo htmlspecialchars($_SESSION["username"]); ?></b>. Welcome to our site.</h1>
    </div>
    <p>
        <a href="reset-password.php" class="btn btn-warning">Reset Your Password</a>
        <a href="logout.php" class="btn btn-danger">Sign Out of Your Account</a>
        <a href="users.php" class="btn btn-success">Users </a>       
    </p>


<?php include "theme/footer.tpl"; ?>
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.