Member Avatar for Vai

I have several issues going on I have played with the code, and I have tried to follow other code snippets / tutorials as examples, but I am unable to achieve the following:

1: when the browser is closed the session is terminated or set a timeout period of inactivity?
2: fix security issue: when I login using 1 name, I can view all pages regardless of level,
how do I fix this?

Here is the code for my index page

<?php
  session_start();
//Set page name
 $thispage = 'index.php';

//If in the database info below.
$dbHost = 'Hostname';
$dbUser = 'Username';
$dbPass = 'Password';
$dbDB   = 'DbName';

$con = mysql_connect($dbHost,$dbUser,$dbPass) or die('Could not connect');
mysql_select_db($dbDB) or die('Could not selected database');

  if (!isset($_SESSION['username'])) {
	if (isset($_POST['submit'])) {
		$user = mysql_real_escape_string($_POST['username']);
		$pass = mysql_real_escape_string($_POST['password']);
		$msg = '';
		$error = 0;
		if ($user == '') {
			$msg .= 'Username is blank<br />';
			$error++;
		}
		if ($pass == '') {
			$msg .= 'Password is blank<br />';
			$error++;
		}
		if ($error > 0) {
			$errmsg = $msg;
		}
		else {
			$sql   = "SELECT * FROM `admin` WHERE `username` = '" . $user . "' AND `password` = '" . $pass . "'";
			$query = mysql_query($sql) or die('Error: ' . mysql_error());
			$num   = mysql_num_rows($query);
			if ($num == 0) {
				$errmsg = 'Username and/or Password incorrect';
			}
			else {
				$res = mysql_fetch_assoc($query);
				$level = $res['level'];
				$_SESSION['username'] = $user;
				$_SESSION['level']    = $level;
				switch($level) {
					case 1:
						$location = 'page_1.php';
					break;
					case 2:
						$location = 'page_2.php';
					break;
					case 3:
						$location = 'page_3.php';
					break;
				}
				header('Location: ' . $location);
				die();
			}
		}
	}
$html =<<<HTML
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Title goes here</title>
</head>
<body>
<form action="index.php" method="post">
<table border="0"cellpadding="2" cellspacing="2" align="center">
<tr>
 <td colspan="2">$errmsg</td>
</tr>
<tr>
 <td>Username:</td>
 <td><input name="username" type="text" id="username" size="30"></td>
</tr>
<tr> 
 <td>Password:</td>
 <td><input name="password" type="password" id="password" size="30" class="password"></td>
</tr>
<tr>
 <td colspan="2" align=center><input type="submit" name="submit" value="Login"></td>
</tr>
</table>
</form>
</body>
</html>
HTML;
}
else {
	$level = $_SESSION['level'];
	switch($level) {
		case 1:
			$location = 'page_1.php';
		break;
		case 2:
			$location = 'page_2.php';
		break;
		case 3:
			$location = 'page_3.php';
		break;
	}
	header('Location: ' . $location);
	die();
}

echo $html;

mysql_close($con);

?>

Here is the code that I use in the page(s).

<?php  
    session_start();  
//Change this to the level of the page
  $level = 1;
    if (isset($_SESSION['level'])) 
    {
     if ($_SESSION['level'] !== $level) 
      {
       header('Location: index.php');
       die();
     }
    }
     else 
      {
       header('Location: index.php');
       die();
     }
?>

Any and all help would be appreciated, Thanks.

  • 2 Contributors
  • 2 Replies
  • 111 Views
  • 12 Hours Discussion Span
  • Latest Post Latest Post by Vai

Recommended Answers

All 2 Replies

Member Avatar for effu

PHP might be confused by the comparison operator you are using. You could be comparing a string to an integer.
1 !== "1" true
but
1 != "1" false

You might try changing this comparison operator: !==

if ($_SESSION !== $level)

to this !=

if ($_SESSION['level'] != $level)

Otherwise it is working fine for me. When I log in as a level 1 I can see page_1.php, no problem. However, when I try to view page_2.php it sends me back to index.php. As long as I changed the $level variable to 2 in the page_2.php.

Member Avatar for Vai

I changed the lines, reuploaded to my site, then cleared my cache.. it is still allowing me to view all pages under 1 name. Sorry my head is thick

PHP might be confused by the comparison operator you are using. You could be comparing a string to an integer.
1 !== "1" true
but
1 != "1" false

You might try changing this comparison operator: !==

to this !=

if ($_SESSION['level'] != $level)

Otherwise it is working fine for me. When I log in as a level 1 I can see page_1.php, no problem. However, when I try to view page_2.php it sends me back to index.php. As long as I changed the $level variable to 2 in the page_2.php.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.