PHP Password protected dir

@jilkin

PHP how do I - in a password protected dir stop anyone typeing anything after the "/" or if they try to change the address at all they will simply be directed to the login page with message?

Technically you can put a password on the dir. Will it work, it really depend.

Here are some links that has php to put passwords and also a couple of links using .htaccess

These are php:

http://elonen.iki.fi/code/misc-notes/htpasswd-php/

http://koivi.com/archives/php-http-auth/

These are .htaccess:

http://www.thesitewizard.com/apache/password-protect-directory.shtml

http://www.addedbytes.com/blog/code/password-protect-a-directory-with-htaccess/

Hi have already got the dir password protected, but I have diferent usertypes i.e Customer and admin, I want to stop customers who have allready signed in from changing pages by changeing the address in the address bar and thus getting to the admin pages, I am not sure of the best way of doing this, thanks for those links I had a quick read but they don't seem to address the problem as I see it. Please let me know if you think I am approaching it from wrong direction and should do somthing like work on my usertype security.

Thanks
Jilkin

jilkin, do you have any fields in your database that store the user's role? You could use this at the top of every page to check if the user is authorized to access that page. For example, let's say we have admin-index.php:

// admin-index.php
// Only administrators should have access to this page
session_start();

// if role value stored in $_SESSION != "admin"
if(strcmp($_SESSION['user']['role'], 'admin')) {
    // kick them back to the homepage with a message
    header("Location: /?redirect=NA"); // text after ? is arbitrary, I used "NA" for "not authorized"
}

// Then on your homepage you could add a check 
// to see if you need to print the message
if(!strcmp($_GET["redirect"], 'NA')
    echo "You are not authorized to access that page!";

Hi have already got the dir password protected, but I have diferent usertypes i.e Customer and admin, I want to stop customers who have allready signed in from changing pages by changeing the address in the address bar and thus getting to the admin pages, I am not sure of the best way of doing this, thanks for those links I had a quick read but they don't seem to address the problem as I see it. Please let me know if you think I am approaching it from wrong direction and should do somthing like work on my usertype security.

That's pretty serious. If this is an e-commerece website then you really need to fixed that issue!

I think you are not familiar with creating a password. Did you put a password on your Admin section folder?

I assume you create a table in the database called Admin so you can put a password.

The way to approached this is to create a login and logout and put it in the admin folder and on top of each page in the admin folder you should put a session.

That will prevent people accessing the admin folder because in order to access that admin folder the person must know the password.

This will secure the Admin section folder.

Thanks EvolutionFallen

problem solved I thought it was a problem with usertype security. That code helped