0
I have something like this

<?php
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="xxxx"; // Database name
$tbl_name="xxxxxx"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form
$username=$_POST['username'];
$password=$_POST['password'];

// To protect MySQL injection (more detail about MySQL injection)
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

$res = mysql_query("SELECT * FROM members WHERE username = '$username' LIMIT 1");
if(mysql_num_rows($res)>0)
{
$d = mysql_fetch_array($res);    
if($password == $d['password'])
{
session_regenerate_id(); //security for changing permissions
session_register['id'] = $d['id'];
session_register['access_level'] = $d['access_level'];
switch($d['access_level'])
{
case 1:
$loc = "home.php";
break;
case 2:
$loc = "paramedic.php";
break;
case 3:
$loc = "doctor.php";
break;
case 4:
$loc = "medprac.php";
break;
case 5:
$loc = "wardboss.php";
break;
case 6:
$loc = "consultant.php";
break;
}
header("Location: $loc");
}
}
?>

and this is verry correct I suppose.

But I am having problem locking the pages. I want doctors and admin to have access to all pages while other to their pages only
2
Contributors
4
Replies
8
Views
4 Years
Discussion Span
Last Post by sparkles_links
1

If you use bitwise operators on integers. In your DB or config file:

access_levels
paramedic = 1
wardboss = 2
webadmin = 4
consultant = 8
doctor = 16

We can set these as constants in a config file:

define('P',1);
define('WB',2);
define('WA',4); //etc etc

Your DB users table will just show the user's rights:

user_id |...|rights
3 |...|20
(webadmin + doctor - this user is both)

You can lock down pages by this:

    session_start();
    $page_protection = 22; //access to wardboss + doctor + webadmin or alternatively below:
    //page_protection = WB + D + WA;
    if(!isset($_SESSION['rights']) || ($page_protection & $_SESSION['rights']) == 0)header('Location: login.php');

This ideally would also be used with your navbar display script, so that only the pages available to the user would be displayed in the first place.

Votes + Comments
I like this way of separating access levels. I never knew about the bitwise operators, so I went and read about them and learnt a load of stuff.
0

diafol can you please according my codes, I just find out am using some old code in the session

1

No. The problem with your code is that it won't allow easy ingress or restriction to pages. That's why I suggested the above. Feel free to ignore by post. Anybody else?

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.