We're a community of 1077K IT Pros here for help, advice, solutions, professional growth and fun. Join us!
1,076,363 Members — Technology Publication meets Social Media
Username:
Password:
Lost login information?
Start New Discussion Reply to this Discussion
Ad: IT HelpDesk & Customer Support Software
1 Year Ago
0

adding an admin to an existing login script..

Hey everyone,

No errors here but I was wondering..is there an easy way to simply "add" an administrator in a log-in script to redirect to a certain area of a website that the administrator can only access? Any advice would be greatly appreciated :)

7
Contributors
26
Replies
9 Months
Discussion Span
7 Months Ago
Last Updated
27
Views
geneh23
Posting Whiz in Training
246 posts since Oct 2011
Reputation Points: 10
Solved Threads: 0
Skill Endorsements: 0
1 Year Ago
0

depending on your set up. If it's database driven u could add check boxes to ur back admin where users listed. then if u want them to be admin you could check the box submit and in your database where users are u could add a column called "isadmin" and the checked box will add to the database 1 for yes and null for no. later u could add the redirect with an if condition. if $isadmin = "1" redirect..

I hate to post links to other places.. but this works great.. I've used it. It doesnt cover the redirect. But that's standard.

http://www.phpfreaks.com/tutorial/working-with-checkboxes-and-a-database

reco21
Light Poster
43 posts since Jan 2011
Reputation Points: 14
Solved Threads: 1
Skill Endorsements: 0
1 Year Ago
0

I simply want to just add an admin section to the following code..if possible..and yes it is database driven.

login.php

<?php
session_start();

$host="************"; // Host name 
$username="****"; // Mysql username 
$password="********"; // Mysql password 
$db_name="*********"; // Database name 
$tbl_name="*********"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form 
$username=$_POST['username']; 
$password=$_POST['password'];

// To protect MySQL injection 
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

$sql="SELECT * FROM users WHERE username='$username' AND password='$password' AND activated='0'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==0){
// Register $myusername, $mypassword and redirect to file "login_success.php"
$_SESSION['username'] = $username;
$_SESSION['password'] = $password;
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
?>
geneh23
Posting Whiz in Training
246 posts since Oct 2011
Reputation Points: 10
Solved Threads: 0
Skill Endorsements: 0
1 Year Ago
1

Your user DB should have a userlevel field which can be stored as bits, e.g.

0 = no activated
1 = regular user
2 = moderator
4 = admin
8 = superadmin

An user with admin rights should then have all the rights of admin and below, so
admin userlevel = sum of all = 1 + 2 + 4 = 7
suepradmin = 1 + 2 + 4 + 8 = 15

You then check using the bitwise operator:

if($row['userlevel'] & 4){
  $admin = true;
}

Or something like that.

You could have a simpler setup with just an admin field (0 or 1).

diafol
Keep Smiling
Moderator
10,668 posts since Oct 2006
Reputation Points: 1,628
Solved Threads: 1,514
Skill Endorsements: 57
1 Year Ago
0

what if I did this since I actually do have something called a "userlevel" and I set one field to "1" out of "1" "2" "3" and just added this bit of code to the login.php file

<?php 
if($row['user_level'] == 1) {
  header("Location: index.php");
  die();
} ?>

and then when I need to get to a page that requires an admin only access..put in this line of code at the top saying:

<?php 
if($row['user_level'] == 1){
  header('Location: admin-area.php');
   die();
} ?>
geneh23
Posting Whiz in Training
246 posts since Oct 2011
Reputation Points: 10
Solved Threads: 0
Skill Endorsements: 0
1 Year Ago
Show Comments
1

Quick suggestion: when login is true I prefer to set a session which enables users rights. So, at least, I can stop bugging the database for that. Otherwise I will have an extra query for each reserved page and each user logged. Bye :)

cereal
Veteran Poster
1,146 posts since Aug 2007
Reputation Points: 344
Solved Threads: 223
Skill Endorsements: 22
1 Year Ago
0

for some reason when I put those pieces of code as listed above in the beginning of my pages..it redirects to the log in page..even after I have logged in..and I put the session variable at the very top..why is this?

geneh23
Posting Whiz in Training
246 posts since Oct 2011
Reputation Points: 10
Solved Threads: 0
Skill Endorsements: 0
1 Year Ago
0

ok, so I created an admin.php that I'm just going to include for the admin pages..would this be sufficiant for indicating whether a user is an admin or not?

admin.php

<?php

//start session and get username variable
session_start();
$user = $_SESSION['user'];

//connect to db
$connect = mysql_connect('**********','*******','');
mysql_select_db('********');

$get = mysql_query("SELECT * FROM users WHERE username='$user'")
while ($row = mysql_fetch_assoc($get))
{
	$admin = $row['user_level'];
}

if ($admin == 0) {
	header('Location: Blog.php');
}exit();
if ($admin == 1) {
	header('Location: Blog-admin-area.php');
}exit();
?>
geneh23
Posting Whiz in Training
246 posts since Oct 2011
Reputation Points: 10
Solved Threads: 0
Skill Endorsements: 0
1 Year Ago
Show Comments
2

THis assumes an user is already set. WHat happens if the user is not set and the user tries to access the page? You'll probably get an error in the mysql. SO you have to check that session user var is set as opposed to taking it for granted.

<?php
//start session and get username variable
session_start();
if(isset($_SESSION['user']) && isset($_SESSION['userlevel'])){
   $user = $_SESSION['user'];
   if ($_SESSION['userlevel' == 1) {
	header('Location: Blog-admin-area.php');
        exit();
   }else{
	header('Location: Blog.php');
        exit();
   }
}else{
  //redirect to default page (index.php?) with header()
}
?>

This applies cereal's thoughts about storing userlevel in session data too (on login) - no need for a db call.
However, I don't know the purpose of this file. I would assume that this would go at the top of the Blog-admin-area.php file itself, modified to this:

<?php
//start session and get username variable
session_start();
if(!isset($_SESSION['user']) || !isset($_SESSION['userlevel']) || $_SESSION['userlevel'] != 1){
   header('Location: Blog.php');
}
?>
diafol
Keep Smiling
Moderator
10,668 posts since Oct 2006
Reputation Points: 1,628
Solved Threads: 1,514
Skill Endorsements: 57
1 Year Ago
-1

the purpose is to have the admin to access to post, update or delete blogs and comments and if the user is not an administrator to simply be directed to the blog section to read and comment on what the admin has posted.

in the admin.php, that I have included at the top gives out a while loop error as follows:
"Parse error: syntax error, unexpected T_WHILE in C:\Program Files (x86)\EasyPHP-5.3.8.1\www\Test\admin.php on line 12"
admin.php

<?php

//start session and get username variable
session_start();
$user = $_SESSION['user'];

//connect to db
$connect = mysql_connect('*************','****','');
mysql_select_db('**********');

$get = mysql_query("SELECT * FROM users WHERE username='$user'")
while($row = mysql_fetch_assoc($get)) 
{
	$admin = $row['user_level'];
}

if ($admin == 0) {
	header('Location: Blog.php');
	exit();
}
if ($admin == 1) {
	header('Location: Blog-admin-area.php');
	exit();
}
?>

everything seems correct..

geneh23
Posting Whiz in Training
246 posts since Oct 2011
Reputation Points: 10
Solved Threads: 0
Skill Endorsements: 0
1 Year Ago
0

place a ;at the end of line 11

diafol
Keep Smiling
Moderator
10,668 posts since Oct 2006
Reputation Points: 1,628
Solved Threads: 1,514
Skill Endorsements: 57
1 Year Ago
0

ok so I forgot a ";" so that part is fixed but the page says that there are too many redirects "The webpage at http://127.0.0.1:8080/Test/Blog.php has resulted in too many redirects. Clearing your cookies for this site or allowing third-party cookies may fix the problem. If not, it is possibly a server configuration issue and not a problem with your computer."

here is the php part of the script:

<?php

session_start();
include('admin.php');
include('core/init.inc.php');

if(!isset($_SESSION['username']) || empty($_SESSION['username'])){
  header('Location: logIn.php');
  exit();
}
if(isset($_SESSION['user']) && isset($_SESSION['user_level'])){
   $user = $_SESSION['user'];
   if ($_SESSION['user_level'] == 1) {
	header('Location: Blog-admin-area.php');
        exit();
   }else{
	header('Location: Blog.php');
        exit();
   }
}
?>
geneh23
Posting Whiz in Training
246 posts since Oct 2011
Reputation Points: 10
Solved Threads: 0
Skill Endorsements: 0
1 Year Ago
0

ok, so the checkuser.php works but it doesn't redirect to the admin page when I log in as an admin...why is this? and how do I make so it does so?

checkuser.php

<?php
session_start();

$host="************"; // Host name 
$username="*******"; // Mysql username 
$password="********"; // Mysql password 
$db_name="********"; // Database name 
$tbl_name="******"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form 
$username=$_POST['username']; 
$password=$_POST['password'];

// To protect MySQL injection 
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

$sql="SELECT * FROM users WHERE username='$username' AND password='$password' AND activated='0'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count == 0 && 'user_level' == 0){
// Register $myusername, $mypassword and redirect to file "login_success.php"
$_SESSION['username'] = $username;
$_SESSION['password'] = $password;
header("location: user-area.php");
}
if($count == 0 && 'user_level' == 1){
header("Location: admin-page.php");
}
echo "Wrong Username or Password";

?>

sorry if I've asked this too many times... :/

geneh23
Posting Whiz in Training
246 posts since Oct 2011
Reputation Points: 10
Solved Threads: 0
Skill Endorsements: 0
1 Year Ago
0

You need to add exit(); after every header(...);

In addition, why is count = 0? Surely if you want success, it should be > 0?

Also 'user_level' is not a variable. You haven't even extracted it from the $result resource.
Use mysql_fetch_array() or similar.

diafol
Keep Smiling
Moderator
10,668 posts since Oct 2006
Reputation Points: 1,628
Solved Threads: 1,514
Skill Endorsements: 57
1 Year Ago
0

@ardav: is this sort of what you meant?

<?php
session_start();

$host="********"; // Host name 
$username="*******"; // Mysql username 
$password="*******"; // Mysql password 
$db_name="*********"; // Database name 
$tbl_name="*******"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form 
$username=$_POST['username']; 
$password=$_POST['password'];

// To protect MySQL injection 
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

$sql="SELECT * FROM users WHERE username='$username' AND password='$password' AND activated='0'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count > 0){
// Register $myusername, $mypassword and redirect to file "login_success.php"
$_SESSION['username'] = $username;
$_SESSION['password'] = $password;

$user = mysql_fetch_array($result);

if($user['user_level'] =='1') {
	header("Location: admin-page.php");
}else {
	header("Location: user-area.php");
}
}
else{
	echo "Wrong Username or Password!";
}
?>
geneh23
Posting Whiz in Training
246 posts since Oct 2011
Reputation Points: 10
Solved Threads: 0
Skill Endorsements: 0
1 Year Ago
0

wow i just relized theres a second page disregard my post

$get = mysql_query("SELECT * FROM users WHERE username='$user'")

needs to have the ;

$get = mysql_query("SELECT * FROM users WHERE username='$user'");
HITMANOF44th
Posting Whiz in Training
284 posts since Apr 2009
Reputation Points: 24
Solved Threads: 34
Skill Endorsements: 0
1 Year Ago
0

@HITMANOF44th: Where do you see

$get = mysql_query("SELECT * FROM users WHERE username='$user'")
geneh23
Posting Whiz in Training
246 posts since Oct 2011
Reputation Points: 10
Solved Threads: 0
Skill Endorsements: 0
1 Year Ago
0

on the first page last thing you said it was throwing an error

HITMANOF44th
Posting Whiz in Training
284 posts since Apr 2009
Reputation Points: 24
Solved Threads: 34
Skill Endorsements: 0
1 Year Ago
0

oh, hmm I must have fixed that, because I have the ";" at the end of my php file.

geneh23
Posting Whiz in Training
246 posts since Oct 2011
Reputation Points: 10
Solved Threads: 0
Skill Endorsements: 0
1 Year Ago
0

so my check user works but now that still leaves me with the admin.php page..for some reason it says
"Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in C:\Program Files (x86)\EasyPHP-5.3.8.1\www\Sample\admin-page.php on line 18"

here is the admin.php

<?php

$user = $_SESSION['username'];

//connect to db
$connect = mysql_connect('127.0.0.1','root','');
mysql_select_db('member');

$get = mysql_query("SELECT * FROM `users` WHERE user_level='1' AND user_level='0'");
while($row = mysql_fetch_assoc($get)) 
{
	$admin = $row['user_level'];
}

if ($admin == 0) {
	echo "<a href='login.php'>Log in</a> | <a href='logout.php'>Log out</a>
		  <h1>This is not an admin page</h1>";
	exit();
}
if ($admin == 1) {
	echo "<a href='login.php'>Log in</a> | <a href='logout.php'>Log out</a>
		  <h1>This is an admin page<h1>";
	exit();
}
?>
geneh23
Posting Whiz in Training
246 posts since Oct 2011
Reputation Points: 10
Solved Threads: 0
Skill Endorsements: 0

This article has been dead for over three months: Start a new discussion instead

Post: Markdown Syntax: Formatting Help
 
You
 
Web Development > PHP
 
© 2013 DaniWeb® LLC
Page rendered in 0.1604 seconds using 2.79MB