0

Hey everyone,

No errors here but I was wondering..is there an easy way to simply "add" an administrator in a log-in script to redirect to a certain area of a website that the administrator can only access? Any advice would be greatly appreciated :)

7
Contributors
26
Replies
27
Views
5 Years
Discussion Span
Last Post by diafol
Featured Replies
  • 1
    diafol 3,669   5 Years Ago

    Your user DB should have a userlevel field which can be stored as bits, e.g. 0 = no activated 1 = regular user 2 = moderator 4 = admin 8 = superadmin An user with admin rights should then have all the rights of admin and below, so admin userlevel … Read More

  • 1
    cereal 1,419   5 Years Ago

    Quick suggestion: when login is true I prefer to set a session which enables users rights. So, at least, I can stop bugging the database for that. Otherwise I will have an extra query for each reserved page and each user logged. Bye :) Read More

  • 2
    diafol 3,669   5 Years Ago

    THis assumes an user is already set. WHat happens if the user is not set and the user tries to access the page? You'll probably get an error in the mysql. SO you have to check that session user var is set as opposed to taking it for granted. [CODE]<?php … Read More

0

depending on your set up. If it's database driven u could add check boxes to ur back admin where users listed. then if u want them to be admin you could check the box submit and in your database where users are u could add a column called "isadmin" and the checked box will add to the database 1 for yes and null for no. later u could add the redirect with an if condition. if $isadmin = "1" redirect..

I hate to post links to other places.. but this works great.. I've used it. It doesnt cover the redirect. But that's standard.

http://www.phpfreaks.com/tutorial/working-with-checkboxes-and-a-database

Edited by reco21: n/a

0

I simply want to just add an admin section to the following code..if possible..and yes it is database driven.

login.php

<?php
session_start();

$host="************"; // Host name 
$username="****"; // Mysql username 
$password="********"; // Mysql password 
$db_name="*********"; // Database name 
$tbl_name="*********"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form 
$username=$_POST['username']; 
$password=$_POST['password'];

// To protect MySQL injection 
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

$sql="SELECT * FROM users WHERE username='$username' AND password='$password' AND activated='0'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==0){
// Register $myusername, $mypassword and redirect to file "login_success.php"
$_SESSION['username'] = $username;
$_SESSION['password'] = $password;
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
?>
1

Your user DB should have a userlevel field which can be stored as bits, e.g.

0 = no activated
1 = regular user
2 = moderator
4 = admin
8 = superadmin

An user with admin rights should then have all the rights of admin and below, so
admin userlevel = sum of all = 1 + 2 + 4 = 7
suepradmin = 1 + 2 + 4 + 8 = 15

You then check using the bitwise operator:

if($row['userlevel'] & 4){
  $admin = true;
}

Or something like that.

You could have a simpler setup with just an admin field (0 or 1).

Edited by diafol: n/a

0

what if I did this since I actually do have something called a "userlevel" and I set one field to "1" out of "1" "2" "3" and just added this bit of code to the login.php file

<?php 
if($row['user_level'] == 1) {
  header("Location: index.php");
  die();
} ?>

and then when I need to get to a page that requires an admin only access..put in this line of code at the top saying:

<?php 
if($row['user_level'] == 1){
  header('Location: admin-area.php');
   die();
} ?>
1

Quick suggestion: when login is true I prefer to set a session which enables users rights. So, at least, I can stop bugging the database for that. Otherwise I will have an extra query for each reserved page and each user logged. Bye :)

Votes + Comments
agreed
0

for some reason when I put those pieces of code as listed above in the beginning of my pages..it redirects to the log in page..even after I have logged in..and I put the session variable at the very top..why is this?

0

ok, so I created an admin.php that I'm just going to include for the admin pages..would this be sufficiant for indicating whether a user is an admin or not?

admin.php

<?php

//start session and get username variable
session_start();
$user = $_SESSION['user'];

//connect to db
$connect = mysql_connect('**********','*******','');
mysql_select_db('********');

$get = mysql_query("SELECT * FROM users WHERE username='$user'")
while ($row = mysql_fetch_assoc($get))
{
	$admin = $row['user_level'];
}

if ($admin == 0) {
	header('Location: Blog.php');
}exit();
if ($admin == 1) {
	header('Location: Blog-admin-area.php');
}exit();
?>
2

THis assumes an user is already set. WHat happens if the user is not set and the user tries to access the page? You'll probably get an error in the mysql. SO you have to check that session user var is set as opposed to taking it for granted.

<?php
//start session and get username variable
session_start();
if(isset($_SESSION['user']) && isset($_SESSION['userlevel'])){
   $user = $_SESSION['user'];
   if ($_SESSION['userlevel' == 1) {
	header('Location: Blog-admin-area.php');
        exit();
   }else{
	header('Location: Blog.php');
        exit();
   }
}else{
  //redirect to default page (index.php?) with header()
}
?>

This applies cereal's thoughts about storing userlevel in session data too (on login) - no need for a db call.
However, I don't know the purpose of this file. I would assume that this would go at the top of the Blog-admin-area.php file itself, modified to this:

<?php
//start session and get username variable
session_start();
if(!isset($_SESSION['user']) || !isset($_SESSION['userlevel']) || $_SESSION['userlevel'] != 1){
   header('Location: Blog.php');
}
?>
Votes + Comments
well done
-1

the purpose is to have the admin to access to post, update or delete blogs and comments and if the user is not an administrator to simply be directed to the blog section to read and comment on what the admin has posted.

in the admin.php, that I have included at the top gives out a while loop error as follows:
"Parse error: syntax error, unexpected T_WHILE in C:\Program Files (x86)\EasyPHP-5.3.8.1\www\Test\admin.php on line 12"
admin.php

<?php

//start session and get username variable
session_start();
$user = $_SESSION['user'];

//connect to db
$connect = mysql_connect('*************','****','');
mysql_select_db('**********');

$get = mysql_query("SELECT * FROM users WHERE username='$user'")
while($row = mysql_fetch_assoc($get)) 
{
	$admin = $row['user_level'];
}

if ($admin == 0) {
	header('Location: Blog.php');
	exit();
}
if ($admin == 1) {
	header('Location: Blog-admin-area.php');
	exit();
}
?>

everything seems correct..

0

ok so I forgot a ";" so that part is fixed but the page says that there are too many redirects "The webpage at http://127.0.0.1:8080/Test/Blog.php has resulted in too many redirects. Clearing your cookies for this site or allowing third-party cookies may fix the problem. If not, it is possibly a server configuration issue and not a problem with your computer."

here is the php part of the script:

<?php

session_start();
include('admin.php');
include('core/init.inc.php');

if(!isset($_SESSION['username']) || empty($_SESSION['username'])){
  header('Location: logIn.php');
  exit();
}
if(isset($_SESSION['user']) && isset($_SESSION['user_level'])){
   $user = $_SESSION['user'];
   if ($_SESSION['user_level'] == 1) {
	header('Location: Blog-admin-area.php');
        exit();
   }else{
	header('Location: Blog.php');
        exit();
   }
}
?>
0

ok, so the checkuser.php works but it doesn't redirect to the admin page when I log in as an admin...why is this? and how do I make so it does so?

checkuser.php

<?php
session_start();

$host="************"; // Host name 
$username="*******"; // Mysql username 
$password="********"; // Mysql password 
$db_name="********"; // Database name 
$tbl_name="******"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form 
$username=$_POST['username']; 
$password=$_POST['password'];

// To protect MySQL injection 
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

$sql="SELECT * FROM users WHERE username='$username' AND password='$password' AND activated='0'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count == 0 && 'user_level' == 0){
// Register $myusername, $mypassword and redirect to file "login_success.php"
$_SESSION['username'] = $username;
$_SESSION['password'] = $password;
header("location: user-area.php");
}
if($count == 0 && 'user_level' == 1){
header("Location: admin-page.php");
}
echo "Wrong Username or Password";

?>

sorry if I've asked this too many times... :/

0

You need to add exit(); after every header(...);

In addition, why is count = 0? Surely if you want success, it should be > 0?

Also 'user_level' is not a variable. You haven't even extracted it from the $result resource.
Use mysql_fetch_array() or similar.

0

@ardav: is this sort of what you meant?

<?php
session_start();

$host="********"; // Host name 
$username="*******"; // Mysql username 
$password="*******"; // Mysql password 
$db_name="*********"; // Database name 
$tbl_name="*******"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form 
$username=$_POST['username']; 
$password=$_POST['password'];

// To protect MySQL injection 
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

$sql="SELECT * FROM users WHERE username='$username' AND password='$password' AND activated='0'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count > 0){
// Register $myusername, $mypassword and redirect to file "login_success.php"
$_SESSION['username'] = $username;
$_SESSION['password'] = $password;

$user = mysql_fetch_array($result);

if($user['user_level'] =='1') {
	header("Location: admin-page.php");
}else {
	header("Location: user-area.php");
}
}
else{
	echo "Wrong Username or Password!";
}
?>
0

wow i just relized theres a second page disregard my post

$get = mysql_query("SELECT * FROM users WHERE username='$user'")

needs to have the ;

$get = mysql_query("SELECT * FROM users WHERE username='$user'");

Edited by HITMANOF44th: n/a

0

@HITMANOF44th: Where do you see

$get = mysql_query("SELECT * FROM users WHERE username='$user'")
0

oh, hmm I must have fixed that, because I have the ";" at the end of my php file.

0

so my check user works but now that still leaves me with the admin.php page..for some reason it says
"Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in C:\Program Files (x86)\EasyPHP-5.3.8.1\www\Sample\admin-page.php on line 18"

here is the admin.php

<?php

$user = $_SESSION['username'];

//connect to db
$connect = mysql_connect('127.0.0.1','root','');
mysql_select_db('member');

$get = mysql_query("SELECT * FROM `users` WHERE user_level='1' AND user_level='0'");
while($row = mysql_fetch_assoc($get)) 
{
	$admin = $row['user_level'];
}

if ($admin == 0) {
	echo "<a href='login.php'>Log in</a> | <a href='logout.php'>Log out</a>
		  <h1>This is not an admin page</h1>";
	exit();
}
if ($admin == 1) {
	echo "<a href='login.php'>Log in</a> | <a href='logout.php'>Log out</a>
		  <h1>This is an admin page<h1>";
	exit();
}
?>
0

i want create admin and user login page.but admin only access for update,delete,change password for user account.but user only view for account details.so u help me.

0

Please search this forum, it's been covered to death.

so u help me.

Also if you want help on this at least show some effort by posting your own code first.

0

Ok, so you lifted some code from this thread - possibly even my code. So, I fail to see where you've shown some effort yourself. As you mention, this is your first task, so I expect you are the one that's supposed to do it.

What else have you got? What are your ideas? You will need to read up on sessions, db access and manipulation, header redirects. It is essentially a set of very, very simple scripts.

As mentioned previously, have a go yourself first.

0

ok.1st improve my self.but php.net website tutorial is high standard.u know any tutorial website for learning php.

0

You can search google for 'beginner PHP tutorial'.
The first result is the 'simple tutorial' on php.net website.
If that is too hard, you need to grow your brain :D
Good luck!

0

I concur with adam. A google search for php tutorials or php beginner should afford some immediate help. I'm quite a fan of textbooks when it comes to learning a new language as they have a nice google page in the back called an index which allows you to home in on specific searches. Wrox, O'Reilly and Apress usually do it for me with regard to publishers. There is no substitute for failing and learning from your own mistakes. Being a script bunny will only get you so far. If things don't work you'll be well and truly stuck as you'll try to debug or fix code that you don't understand. Worse and with some embarrassment, you'll supply the code in a forum post and you'll get the question - 'Is this your code? If not, ask the author'. We're always here to help - note the 'help' - we don't supply novel code for thread starters as a rule. Have a go, but do come back if you have questions or you've been stuck for some time with your code.

Edited by diafol

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.