I have something like this

$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="xxxx"; // Database name
$tbl_name="xxxxxx"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form

// To protect MySQL injection (more detail about MySQL injection)
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

$res = mysql_query("SELECT * FROM members WHERE username = '$username' LIMIT 1");
$d = mysql_fetch_array($res);    
if($password == $d['password'])
session_regenerate_id(); //security for changing permissions
session_register['id'] = $d['id'];
session_register['access_level'] = $d['access_level'];
case 1:
$loc = "home.php";
case 2:
$loc = "paramedic.php";
case 3:
$loc = "doctor.php";
case 4:
$loc = "medprac.php";
case 5:
$loc = "wardboss.php";
case 6:
$loc = "consultant.php";
header("Location: $loc");

and this is verry correct I suppose.

But I am having problem locking the pages. I want doctors and admin to have access to all pages while other to their pages only
Member Avatar

If you use bitwise operators on integers. In your DB or config file:

paramedic = 1
wardboss = 2
webadmin = 4
consultant = 8
doctor = 16

We can set these as constants in a config file:

define('WA',4); //etc etc

Your DB users table will just show the user's rights:

user_id |...|rights
3 |...|20
(webadmin + doctor - this user is both)

You can lock down pages by this:

    $page_protection = 22; //access to wardboss + doctor + webadmin or alternatively below:
    //page_protection = WB + D + WA;
    if(!isset($_SESSION['rights']) || ($page_protection & $_SESSION['rights']) == 0)header('Location: login.php');

This ideally would also be used with your navbar display script, so that only the pages available to the user would be displayed in the first place.

commented: I like this way of separating access levels. I never knew about the bitwise operators, so I went and read about them and learnt a load of stuff. +1

diafol can you please according my codes, I just find out am using some old code in the session

Member Avatar

No. The problem with your code is that it won't allow easy ingress or restriction to pages. That's why I suggested the above. Feel free to ignore by post. Anybody else?