0

Hi, I have made a log in script that checks the database for username and password. I have everything working for the users (they must be logged in to access member.php). Now I have admin.php redirecting to a different page, but how do i keep users OUT of that page? Because I think the way this code is now, is if a USER logs in and somehow copies and pastes the admin page...they can access it.

here is my log in script:

<?php

session_start();
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
               <title>Shots by Shell User Log In</title>
                <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    <link rel='stylesheet' type='text/css' href='css/style.css' />
                <script type="text/javascript" src="jquery.js"></script>
                <script type="text/javascript" src="validate.js"></script>


    <script type='text/javascript' src='js/example.js'></script>



                <script type="text/javascript">
                        $(document).ready(function(){
                                jQuery.validator.addMethod("phoneUS", function(phone_number, element) {
                        phone_number = phone_number.replace(/\s+/g, "");
                                return this.optional(element) || phone_number.length > 9 &&
                                phone_number.match(/^(1-?)?(\([2-9]\d{2}\)|[2-9]\d{2})-?[2-9]\d{2}-?\d{4}$/);
                        }, "Please specify a valid phone number");

           $("#form").validate();
                        });
                </script>

</head>

<body>

        <body>
    <div id="page-wrap">
        
        <div class="login-block">
            <h3>Shots by Shell User Login</h3>

                <form action="" method="POST" id="form">
                        
                           <table>
                                <tr><td style="font-size:15; color:grey;">Username:&nbsp;&nbsp;</label></td>
                                <td><input type="text" name="username" id="username" class="required" value="<?php echo $_POST['username'];?>"></td></tr>

                                <tr><td style="font-size:15; color:grey;">Password:&nbsp;&nbsp;</label></td>
                                <td><input type="password" name="password" id="password" class="required" value="<?php echo $_POST['password'];?>"></td></tr>

                               <tr><td> <input type="submit" name="submit" id="Submit" value="Login"></td></tr>
                       </table> 
                </form>



<?php

$salt = "@x2p";
$username = $_POST['username'];
$password = crypt($_POST['password'], $salt);

if (isset($_POST['submit']))
{

if (!empty($_POST['username'])&&($_POST['password']))
{


$connect = mysql_connect("localhost","xxxxx","xxxxx") or die ("Unable to connect at this time. Please try again later.");

mysql_select_db("login2", $connect) or die ("Unable to connect to the photo database at this time. Please try again later.");


    $query = mysql_query("SELECT * FROM users WHERE username='$username'");

    $numrows = mysql_num_rows($query);


    if ($numrows!=0)
    {
        while ($row = mysql_fetch_assoc($query))
        {
            $dbusername=$row['username'];
            $dbpassword=$row['password'];
            $dbfirstname=$row['firstname'];

        }

        if ($username==$dbusername&&$password==$dbpassword)
                {

                       if ($dbusername == "admin")

                        {
//THIS WORKS BUT HOW WOULD I KEEP ANY OTHER USER OUT. BECAUSE IF THEY GOT A HOLD OF THIS ADDRESS AND COPIED INTO THEIR BROWSER THEY HAVE ACCESS
               header('Location: http://mysite.com/admin.php?id='.$_SESSION['firstname']=$dbfirstname);            

                        }
                        else
        
            header('Location: http://mysite.com/member.php?id='.$_SESSION['firstname']=$dbfirstname);            
        }
        else
            ?><html><font color="red"><?php die("Incorrect password.");?><html></font>
<?php
    }
    else
            ?><html><font color="red"><?php die("Username does not exist.");?><html></font></html>
<?php
}
else
        ?><html><font color="red"><?php die("Please enter your email address and password.");?><html></font></html>

<?php
}
?>
        </div>
            
    </div>
    
</body>
</html>

here is admin.php:

<?php

session_start();

if ($_SESSION['firstname'])
{
echo "Welcome, ".$_SESSION['firstname']."!";?><br>

<?php
echo "<a href='logout.php'>Log Out</a>";
}
else
	die("You must log in to view this page. <a href='index.php'>Click here</a> to log in.");
?>

I believe i need to add some other kind of check in the admin.php page, but I am not all that great with php and spent a long time on all of this. A little help would be greatly appreciated!

Thanks!

4
Contributors
3
Replies
9
Views
7 Years
Discussion Span
Last Post by richieking
0

Normally your admin would also login and that would set a session variable to show that this user has admin privileges. On any page that only an admin can access, you need to check that session variable to see if this is an admin user or not.

0

Normally your admin would also login and that would set a session variable to show that this user has admin privileges. On any page that only an admin can access, you need to check that session variable to see if this is an admin user or not.

<?php 
    $_SESSION['user_role']= $user_role; //this should be a field in DB for each user
    //============Add other codes that needs no Admin rights==========
    //If this page needs admin access then put this code
    if( $_SESSION['user_role']=='admin'){
        echo "Karibu Mr. Admin!";
    }
    else{
        echo "Acess denied: Hauruhusiwi Kuingia eneo hili!";
    }
?>

Due to DW rule:
Karibu == Welcome
Hauruhusiwi Kuingia eneo hili== You are not allowed to enter this zone

0

you should also have a logout script to help user log out.

once the user clicks on the link.... bam logout.php and unset the session there.

security is the best form of programming.

Explore :)

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.