paddyhaig
-
Posts
131 -
Joined
-
Last visited
Never
Posts posted by paddyhaig
-
-
So I am not exactly sure where I would implement the changes you have suggested?
Can you possibly make the appropriate changes to the scripts I have supplied, then I might have a working model that I can emulate and learn from.
I have to use the database call and form post procedure a lot in the project I am building, so just one working model/template should get me started. You appear to be offered me two solutions, which one would you use as a programmer of experience?
-
Yes, I figured it had to be something to do with Global Variables!
Mmmmm, I really wasn't that hot at PHP 7 years ago, and I have been pretty wrapped up in the re-building (Construction) of New Orleans since, so I pretty much have forgotten everything I know. This is my first attempt to try and get back into programming, I really need someone to help me along. I know I can be something of a pain in the ass. But when I get rolling their ain't no stoppin me. What you have wrote somewhat makes sense and on the other hand it seems like Greek! Thanks for your input. I really do appreciate it.
-
No prob. (Although I do wish I had more of an insight.)
What happens is when I open the page using the editing.php script
The form fields are filled with:
<br /> <b>Notice</b>: Undefined variable: first_name in <b>C:\wamp\www\concierge\admin\editing.php</b> on line <b>15</b><br />
<br /> <b>Notice</b>: Undefined variable: last_name in <b>C:\wamp\www\concierge\admin\editing.php</b> on line <b>23</b><br />
<br /> <b>Notice</b>: Undefined variable: login in <b>C:\wamp\www\concierge\admin\editing.php</b> on line <b>29</b><br />
This line is a password field so it's error is I am sure obscured by asterisks....
<br /> <b>Notice</b>: Undefined variable: login in <b>C:\wamp\www\concierge\admin\editing.php</b> on line <b>47</b><br />
<br /> <b>Notice</b>: Undefined variable: login in <b>C:\wamp\www\concierge\admin\editing.php</b> on line <b>47</b><br />
-
I created these scripts 7 years ago and believe they were created on a system allowing global variables. They seemed to work fine at the time, but now they are all kinds of funky. I am hoping that some one can help me clean them up and get them working again.
Abstract: The form is designed to connect to a mySQL database and pull up a table of all the Users and their information. i.e. Id, Edit, Name, Login, Privilege.
The way it used to work was if you clicked on the 'Id' of a specific user then another form would come up with their specific details that you could then edit and resubmit.
What I would really like and hope to be working towards, is an initial table without the 'Id' column. The User details to be presented in columns in this order (From left to right) Name (First and last), Login, Privilege. I would also like the name (First and Last) to be a link, when clicked on, taking you to another page where you can edit the details or completely remove the account/db row. Also the privilege on this same page to have a drop down list offering the options Manager, Staff, Suspended.
I believe actually the was also a page for creating new accounts at some point.
Anyway, if the is anyone that can help me out there with this I would be very grateful.
This is what used to work. The common error being: Undefined variable
edit.php
<?php mysql_connect('localhost','example','example') or die ("Problem connecting to DataBase"); $query = "select * from auth"; $result = mysql_db_query("example", $query); if ($result) { echo "<table width=90% align=center border=1 bordercolor=#808080 cellspacing=0 cellpadding=0 bordercolorlight=#808080 bordercolordark=#283A86><tr> <td align=center bgcolor=#283A86><font color=#FFFFFF><b>Edit:</b></td> <td align=center bgcolor=#283A86><font color=#FFFFFF><b>Name:</b></td> <td align=center bgcolor=#283A86><font color=#FFFFFF><b>Login:</b></td> <td align=center bgcolor=#283A86><font color=#FFFFFF><b>Privilege:</b></td> </tr>"; while ($r = mysql_fetch_array($result)) { $id = $r["id"]; $first_name = $r["first_name"]; $last_name = $r["last_name"]; $login = $r["login"]; $password = $r["password"]; $privilege = $r["privilege"]; echo "<tr> <td align=center> <a href=\"editing.php?id= $id&first_name= $first_name&last_name= $last_name&login= $login&password= $password&privilege= $privilege\"> $id </a> </td> <td>$first_name $last_name</td> <td>$login</td> <td>$privilege</td> </tr>"; } echo "</table>"; } else { echo "No data."; } mysql_free_result($result); ?>editing.php
<?php ?> <form method="POST" action="editdb.php"> <center> <table width="226" border="1" bordercolor="#808080" cellspacing="0" cellpadding="0" bordercolorlight="#808080" bordercolordark="#283A86"> <tr> <td align="center" width="93" bgColor="#283a86" height="4"><font color="#ffffff"><b>First name</b></font></td> <td width="141" bgColor="#283a86" height="4" align="center"><input type="text" name="first_name" size="20" value="<?php echo "$first_name";?>"></td> </tr> <tr> <td align="center" width="93" bgColor="#283a86" height="3"><b><font color="#FFFFFF">Last name</font></b></td> <td width="141" bgColor="#283a86" height="3" align="center"><input type="text" name="last_name" size="20" value="<?php echo "$last_name";?>"></td> </tr> <tr> <td align="center" width="93" bgColor="#283a86" height="13"><font color="#ffffff"><b>Login </b></font></td> <td width="141" bgColor="#283a86" height="13" align="center"><input type="text" name="login" size="20" value="<?php echo "$login";?>"></td> </td> </tr> <tr> <td align="center" width="93" bgColor="#283a86" height="27"><font color="#ffffff"><b>Password </b></font></td> <td width="141" bgColor="#283a86" height="27" align="center"><input type="password" name="password" size="20" value="<?php echo "$password";?>"></td> </td> </tr> <tr> <td align="center" width="93" bgColor="#283a86" height="14"><font color="#ffffff"><b>Privilege </b></font></td> <td width="141" bgColor="#283a86" height="14" align="center"><select size="1" name="privilege"> <option selected value="receptionist">Receptionist</option> <option value="manager">Manager</option> <option value="administrator">Administrator</option> <option value="<?php echo "$privilege";?>" selected><?php echo "$privilege";?></option> <option value="suspended">Suspended</option> nbsp; </select></td> </tr> </table> <div align="center"> <table border="0" cellpadding="0" cellspacing="0" width="198"> <tr> <td width="196"> <p align="center"><font color="#283A86">.</font></td> </tr> <tr> <td width="196"> <input type=hidden name=id value="<?php echo "$id";?>"> <p align="center"> <input name="submit" type="image" id="submit" src="../../graphics/general/edit-staff-member_button.gif" alt="Edit Staff member" width="180" height="28" border="0"></p> </td> </tr>?> </center> include ('../../includes/scripts_footer.inc'); ?>editdb.php
<?php mysql_connect('localhost','example','example') or die ("Problem connecting to DataBase"); $query = "update auth set id='$id',first_name='$first_name',last_name='$last_name',login='$login' ,password='$password' ,privilege='$privilage' where id='$id'"; $result = mysql_db_query("example", $query); $query = "SELECT * FROM auth"; $result = mysql_db_query("example", $query); if ($result) { echo "<table width=100% align=center border=1 bordercolor=#808080 cellspacing=0 cellpadding=0 bordercolorlight=#808080 bordercolordark=#283A86><tr> <td align=center bgcolor=#283A86><font color=#FFFFFF><b>Name:</b></td> <td align=center bgcolor=#283A86><font color=#FFFFFF><b>Login:</b></td> <td align=center bgcolor=#283A86><font color=#FFFFFF><b>Privilege:</b></td> </tr>"; while ($r = mysql_fetch_array($result)) { $id = $r["id"]; $first_name = $r["first_name"]; $last_name = $r["last_name"]; $login = $r["login"]; $password = $r["password"]; $privilage = $r["privilege"]; echo "<tr> <td>$first_name $last_name</td> <td>$login</td> <td>$privilege</td> </tr>"; } echo "</table>"; } else { echo "No data."; } mysql_free_result($result); ?> <? include ('../../includes/scripts_footer.inc'); ?>I have also attached a graphic of my database schema...
[attachment deleted by admin]
-
So after a week of looking everywhere to get a little help. I eventually managed to fix it myself. Here's a working cookie/privileged based authentication script. I do however wish to thank everyone for their efforts. Please see attached db schema.
Here is the relevant html authentication form info:
<form action="scripts/authenticate/auth.php" method="POST"> <input name="account" type="text" id="account" value="info@example.com" size="20"> Username: <input name="username" type="text" id="username" size="20"> <label for="password"> <div align="center">Password: <input name="password" type="password" id="password" size="20"> <img src="graphics/general/login_button.jpg" width="150" height="28" alt="login"></p></form>
Here is the processing script after I fixed it:
<?php if (isset($_POST['username']) && isset($_POST['password'])) { $db = mysql_connect('localhost', 'example', 'example') or die("Couldn't connect to the database<br>" . mysql_error()); mysql_select_db('example', $db) or die("Couldn't select<br>" . mysql_error()); $login = mysql_real_escape_string($_POST['username'], $db); $password = mysql_real_escape_string($_POST['password'], $db); $query = "SELECT privilege FROM auth WHERE login = '$login' AND password = '$password'"; $result = mysql_query($query, $db) or die("Problem with the query: $query<br>" . mysql_error()); if (0 == mysql_num_rows($result)) { header('Location: ../../index.php'); exit(0); } $row = mysql_fetch_assoc($result); $privilege = $row['privilege']; session_start(); $_SESSION['username'] = $login; $_SESSION['privilege'] = $privilege; if ('receptionist' === $privilege) { header('Location: ../../receptionists/index.php'); exit(0); } if ('manager' === $privilege) { header('Location: ../../managers/index.php'); exit(0); } if ('administrator' === $privilege) { header('Location: ../../admin/index.php'); exit(0); } } ?>Here is what needs to be placed in the head of every page (With appropriate changes):
<?php session_start(); if (! isset($_SESSION['privilege'])) { // privilege? // redirect to your login page header("Location: ../index.php"); exit; } else { // check to make sure the privilege is correct for this page // modify as needed. // That is the != 'privilege') could be: // != 'administrator') or != 'manager') or != 'receptionist') // Just add this to the head of the page you want to limit access to. // For example add this script with != 'privilege') changed to != 'receptionist') // if you want to limit access to the page to just those with receptionist privileges. if ($_SESSION['privilege'] != 'privilege') { die('You do not have the privilege to access this page.'); } } ?>[attachment deleted by admin]
-
Would you know how I might fix this?
This was suggested to me bye another phpfreaks user?
-
Here is my pertinent authentication page information:
<form action="scripts/authenticate/auth.php" method="POST"> Account: <input name="account" type="text" id="account" value="inter-nation-house" Username: <input name="username" type="text" id="username" size="20"> Password: <input name="password" type="password" id="password" size="20"> <input type="image" src="graphics/general/login_button.jpg" onClick="document.submit();>
Here is the authentication script used by above:
<?php if (isset($_POST['username']) && isset($_POST['password'])) { $db = mysql_connect('localhost', 'example', 'example') or die("Couldn't connect to the database<br>" . mysql_error()); mysql_select_db('example', $db) or die("Couldn't select<br>" . mysql_error()); $login = mysql_real_escape_string($_POST['username'], $db); $password = mysql_real_escape_string($_POST['password'], $db); $query = "SELECT privilege FROM auth WHERE login = '$login' AND password = '$password'"; $result = mysql_query($query, $db) or die("Problem with the query: $query<br>" . mysql_error()); if (0 == mysql_num_rows($result)) { header('Location: ../../index.php'); exit(0); } $row = mysql_fetch_assoc($result); $privilege = $row['privilege']; session_start(); $_SESSION['username'] = $login; $_SESSION['privilege'] = $privilege; if ('receptionist' === $privilege) { header('Location: ../../receptionists/index.php'); exit(0); } if ('manager' === $privilege) { header('Location: ../../managers/index.php'); exit(0); } if ('administrator' === $privilege) { header('Location: ../../admin/index.php'); exit(0); } } ?>Here is what I am including above the head of all the pages I wish to secure: It was working fine until I added this to the beginning of each page.
<?php session_start(); if (! isset($_SESSION['privilege'])) { // privilege? // redirect to your login page header("Location: ../index.php"); exit; } else { // check to make sure the privilege is correct for this page // modify as needed if ($_SESSION['privilege'] != 'privilege') { die('You do not have the privilege to access this page.'); } } ?>Here is my cookie information:
Name PHPSESSID
Value 0i14qiuf33cma8oucoohb52mh5
Host localhost
Path /
Secure No
Expires At End Of Session
Please see attached db schema if needed.
Here is the error I am still getting: (It simply just wont let me in)
You do not have the privilege to access this page.
Despite the fact that I am entering the correct information.
[attachment deleted by admin]
-
Tonic this is interesting, is it possible you could give me an example? Using the code I have already posted and what I would add to the headers?
-
It's possible you could use a redirect like so, of course putting what you would like in the url.
<?php
ob_start();
header("Location: http://en.wikipedia.org");
ob_flush();
?>
-
I get what you are saying, this is just an idea. But I wonder if it is possible to utilize, this little bit of a timer script. You could put it in the header of the page that play's the mp3 and then the customer would only be able to hear the first few seconds of the tune. As I said it's just an idea.
<SCRIPT LANGUAGE="JavaScript">
<!-- Begin
redirTime = "26000";
redirURL = "http://your_domain_and_file.htm";
function redirTimer() { self.setTimeout("self.location.href = redirURL;",redirTime); }
// End -->
</script>
-
Need real genius to work this one out. Over 30 people have failed so far.
Authentication session problem.
Please can someone help me create a way of securing the pages of my website with a session cookie.
At present you can wander directory's simply by manipulating the URL.
I need a way to secure the pages if you do not have the correct login credentials.
I want different users to have different levels of access.
It seems that a cookie is already been created in my browser, that information you will see below.
Here's a copy of my present authentication form: index.php
<html> <head> <meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <title>Login</title> <link href="includes/primary_layout.css" rel="stylesheet" type="text/css" /> <!--[if IE]><style type="text/css">body { text-align: center; } #small-blue-box { text-align: left; }</style><![endif]--> <link href="../includes/primary_layout.css" rel="stylesheet" type="text/css" /> </head> <body onLoad="document.getElementById('account').focus()"> <div id="text"> <div id="wrapper"> <div id="small-blue-box"> <div id="form0"> <form action="scripts/authenticate/auth.php" method="POST"> <div> <div align="center"><img src="graphics/general/concierge_banner.gif" width="180" height="28">Account: <input name="account" type="text" id="account" value="info@example.com" size="20"> </div> </div> <div> <div align="center">Username: <input name="username" type="text" id="username" size="20"> </div> </div> <div> <label for="password"> <div align="center">Password: <input name="password" type="password" id="password" size="20"> </div> </div> <p align="center"> <input type="image" src="graphics/general/login_button.jpg" onClick="document.submit();> <p> <img src="graphics/general/login_button.jpg" width="150" height="28" alt="login"></p></form> </div> </div> <?php include("includes/footer.inc"); ?> </div> </body> </html>Here's a copy of the auth.php script: Which is called by the above.
<?php if (isset($_POST['username']) && isset($_POST['password'])) { $db = mysql_connect('localhost', 'example', 'example') or die("Couldn't connect to the database<br>" . mysql_error()); mysql_select_db('example', $db) or die("Couldn't select<br>" . mysql_error()); $login = mysql_real_escape_string($_POST['username'], $db); $password = mysql_real_escape_string($_POST['password'], $db); $query = "SELECT privilage FROM auth WHERE login = '$login' AND password = '$password'"; $result = mysql_query($query, $db) or die("Problem with the query: $query<br>" . mysql_error()); if (0 === mysql_num_rows($result)) { header('Location: ../../index.php'); exit(0); } $row = mysql_fetch_assoc($result); $privilage = $row['privilage']; session_start(); $_SESSION['username'] = $login; $_SESSION['privilage'] = $privilage; if ('receptionist' === $privilage) { header('Location: ../../receptionists/index.php'); exit(0); } if ('manager' === $privilage) { header('Location: ../../managers/index.php'); exit(0); } if ('administrator' === $privilage) { header('Location: ../../admin/index.php'); exit(0); } } ?>This is my present cookie information:
Name PHPSESSID
Value p2r4il0jeadghdoa7h4hb7uku5
Host www.example.com
Path /
Secure No
Expires At End Of Session
This is one of many pages I would like to secure:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Concierge Admin Index</title> <link href="../includes/primary_layout.css" rel="stylesheet" type="text/css" /> </head> <body> <div id="wrapper"> <div id="large-blue-box"> <div id="form1"> <!-- <?php include("../includes/footer.inc"); ?> I would like to make all the below code an include --> <p><img src="../graphics/general/ai_banner.gif" alt="" width="180" height="28" /></p> <p><a href="concierge-setup.php"><img src="../graphics/general/concierge-setup_button.gif" width="180" height="28" /></a></p> <p><a href="accommodation.php"><img src="../graphics/general/accomodate_button.gif" width="180" height="28" /></a></p> <p><a href="general-log.php"><img src="../graphics/general/gen-log_button.gif" width="180" height="28" /></a></p> <p><a href="../index.php"><img src="../graphics/general/lo_button.gif" alt="" width="180" height="28" /></a></p> </div> <div id="form2"> <p><img src="../graphics/general/man_index_banner.gif" width="180" height="28" /></p> <p><a href="staff_management.php"><img src="../graphics/general/sm_button.gif" width="180" height="28" /></a></p> <p><a href="bed_management.php"><img src="../graphics/general/bm_button.gif" width="180" height="28" /></a></p> <p><a href="audit_system.php"><img src="../graphics/general/as_button.gif" width="180" height="28" /></a></p> <p><a href="shift_summary.php"><img src="../graphics/general/shift-summary_button.gif" width="180" height="28" /></a></p> </div> <div id="form3"> <p><img src="../graphics/general/recep_banner.gif" width="180" height="28" /></p> <p><a href="check-in-out_index.php"><img src="../graphics/general/check-inout_button.gif" width="180" height="28" /></a></p> <p><a href="delinquent_payments.php"><img src="../graphics/general/delinquent-payments_button.gif" width="180" height="28" /></a></p> <p><a href="reservations.php"><img src="../graphics/general/reservations_button.gif" width="180" height="28" /></a></p> <p><a href="misc_index.php"><img src="../graphics/general/miscellaneous_button.gif" width="180" height="28" /></a></p> </div> </div> <?php include("../includes/footer.inc"); ?> </div> </body> </html>I think I have found the last bit of the puzzle, this may have been an include in my general pages.
<?php // if the log-out button is clicked, destroy the cookies // and tell the user that they have logged out. if ($submit) { setcookie('username', '', time() - 3600); setcookie('auth_level', '', time() - 3600); echo "You've successfully logged out."; } else { // Make sure that if someone is accessing // the page without access, that they can't // execute the script if (!$_COOKIE['username']) { header("Location: ../../index.php"); exit; } // otherwise, display their username and access level // when they first arrive from the auth.php link // and give them the option to log-out ?> <u>Your User Name</u>: <b><?php echo $_COOKIE['username'];?></b><br /> <form method="POST" action="http://localhost/concierge/"> <!-- <form method="POST" action="<?php echo $GLOBALS ['PHP_SELF'];?>"> <input type="submit" value="Logout" name="submit"> </form> <?php // close the script } ?>Here's something I discovered the session_start() (Whatever you call it) that is in the auth.php script in combination with the <form action="scripts/authenticate/auth.php" method="POST"> from the index.php authentication form is what's generating the session cookie that is now residing in my browser. I found this last bit of code above that I believe is designed to kill the session cookie.
What I need is something in the head of every page that check's that cookies data and allows the person logging in with specific credentials access to specific documents and folders.
-
I believe it's time to give up on my prior authentication script and start from scratch, I believe it's far too broken to be fixed.
What I need is a tiered access level authentication method. That allows certain privileges to some and not others. I need administrative, managerial and staff levels.
What is the most secure method that I should be researching?
Is it cookie based and if so, how should I hash the cookie?
And is the anyone out there that can help me implement this?
-
I tried just about everything with the below code, however I feel we are onto something. The three levels of access are administrator, manager, receptionist.
I changed it on this line and tried it to no avail.
if ($_SESSION['privilege'] != 'privilege') {
if ($_SESSION['administrator'] != 'administrator') {
if ($_SESSION['privilege'] != 'administrator') {
<?php session_start(); if (! isset($_SESSION['privilege'])) { // privilege? // redirect to your login page header("Location: ../index.php"); exit; } else { // check to make sure the privilege is correct for this page // modify as needed if ($_SESSION['privilege'] != 'administrator') { die('You do not have the privilege to access this page.'); } } ?> -
Mr McD, I tried your code out and it keeps throwing me back to the authentication form.
Oh, I also made changes to the spelling of 'privilege' in both the snippet of code and the backend auth.php script. My bad!
Is the some way that I can check to see if the privilege is being passed in the cookie
Here's where I added the code, I also tried it below the <head> to no avail.
<?php session_start(); if (! isset($_SESSION['privilege'])) { // privilege? // redirect to your login page header("Location: ../index.php"); exit; } else { // check to make sure the privilege is correct for this page // modify as needed if ($_SESSION['privilege'] != 'privilege') { die('You do not have the privilege to access this page.'); } } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Concierge Admin Index</title> <link href="../includes/primary_layout.css" rel="stylesheet" type="text/css" /> </head> <body> <div id="wrapper"> <div id="large-blue-box"> <div id="form1"> <!-- <?php include("../includes/footer.inc"); ?> I would like to make all the below code an include --> <p><img src="../graphics/general/ai_banner.gif" alt="" width="180" height="28" /></p> <p><a href="concierge-setup.php"><img src="../graphics/general/concierge-setup_button.gif" width="180" height="28" /></a></p> <p><a href="accommodation.php"><img src="../graphics/general/accomodate_button.gif" width="180" height="28" /></a></p> <p><a href="general-log.php"><img src="../graphics/general/gen-log_button.gif" width="180" height="28" /></a></p> <p><a href="../index.php"><img src="../graphics/general/lo_button.gif" alt="" width="180" height="28" /></a></p> </div> <div id="form2"> <p><img src="../graphics/general/man_index_banner.gif" width="180" height="28" /></p> <p><a href="staff_management.php"><img src="../graphics/general/sm_button.gif" width="180" height="28" /></a></p> <p><a href="bed_management.php"><img src="../graphics/general/bm_button.gif" width="180" height="28" /></a></p> <p><a href="audit_system.php"><img src="../graphics/general/as_button.gif" width="180" height="28" /></a></p> <p><a href="shift_summary.php"><img src="../graphics/general/shift-summary_button.gif" width="180" height="28" /></a></p> </div> <div id="form3"> <p><img src="../graphics/general/recep_banner.gif" width="180" height="28" /></p> <p><a href="check-in-out_index.php"><img src="../graphics/general/check-inout_button.gif" width="180" height="28" /></a></p> <p><a href="delinquent_payments.php"><img src="../graphics/general/delinquent-payments_button.gif" width="180" height="28" /></a></p> <p><a href="reservations.php"><img src="../graphics/general/reservations_button.gif" width="180" height="28" /></a></p> <p><a href="misc_index.php"><img src="../graphics/general/miscellaneous_button.gif" width="180" height="28" /></a></p> </div> </div> <?php include("../includes/footer.inc"); ?> </div> </body> </html> -
My name is Paddy, I am originally from Liverpool UK but have been Living in New Orleans, La, USA for the last 8 years. Yes I lived through Katrina. I have not touched code or php or any db's, development or high end systems since Katrina and am just trying to find my feet again after many years of construction and re-building. So for all intents and purposes I am like a newbie again. I developed an idea about 7 years ago and then put it on the back burner as I was run off my feet with work at the time as a systems administrator at a local New Orleans ISP. Then Katrina hit and the whole world seemed to turn upside down. So I am sorry if I get a little annoyed sometimes at people wasting my time with poorly presented suggestions. The way I see it is, if you know how to fix something, then just fix it. Don't point me to the manual. If I wanted to read the manual then I would be reading it, not posting my questions on a forum!
Anyway, feel the Love!!!
-
Thanks Mr Mc!
Here are my discoveries so far...
Authentication session problem.
Please can someone help me create a way of securing the pages of my website with a session
cookie.
At present you can wander directorys simply by manipulating the URL.
I need a way to secure the pages if you do not have the correct credentials.
I want different users to have different levels of access.
Here's a copy of my present authentication form: index.php
<html> <head> <meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <title>Login</title> <link href="includes/primary_layout.css" rel="stylesheet" type="text/css" /> <!--[if IE]><style type="text/css">body { text-align: center; } #small-blue-box { text-align: left; }</style><![endif]--> <link href="../includes/primary_layout.css" rel="stylesheet" type="text/css" /> </head> <body onLoad="document.getElementById('account').focus()"> <div id="text"> <div id="wrapper"> <div id="small-blue-box"> <div id="form0"> <form action="scripts/authenticate/auth.php" method="POST"> <div> <div align="center"><img src="graphics/general/concierge_banner.gif" width="180" height="28">Account: <input name="account" type="text" id="account" value="info@example.com" size="20"> </div> </div> <div> <div align="center">Username: <input name="username" type="text" id="username" size="20"> </div> </div> <div> <label for="password"> <div align="center">Password: <input name="password" type="password" id="password" size="20"> </div> </div> <p align="center"> <input type="image" src="graphics/general/login_button.jpg" onClick="document.submit();> <p> <img src="graphics/general/login_button.jpg" width="150" height="28" alt="login"></p></form> </div> </div> <?php include("includes/footer.inc"); ?> </div> </body> </html>Here's a copy of the auth.php script: Which is called by the above.
<?php if (isset($_POST['username']) && isset($_POST['password'])) { $db = mysql_connect('localhost', 'example', 'example') or die("Couldn't connect to the database<br>" . mysql_error()); mysql_select_db('example', $db) or die("Couldn't select<br>" . mysql_error()); $login = mysql_real_escape_string($_POST['username'], $db); $password = mysql_real_escape_string($_POST['password'], $db); $query = "SELECT privilage FROM auth WHERE login = '$login' AND password = '$password'"; $result = mysql_query($query, $db) or die("Problem with the query: $query<br>" . mysql_error()); if (0 === mysql_num_rows($result)) { header('Location: ../../index.php'); exit(0); } $row = mysql_fetch_assoc($result); $privilage = $row['privilage']; session_start(); $_SESSION['username'] = $login; $_SESSION['privilage'] = $privilage; if ('receptionist' === $privilage) { header('Location: ../../receptionists/index.php'); exit(0); } if ('manager' === $privilage) { header('Location: ../../managers/index.php'); exit(0); } if ('administrator' === $privilage) { header('Location: ../../admin/index.php'); exit(0); } } ?>This is my present cookie information:
Name PHPSESSID
Value p2r4il0jeadghdoa7h4hb7uku5
Host www.example.com
Path /
Secure No
Expires At End Of Session
This is one of many pages I would like to secure:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Concierge Admin Index</title> <link href="../includes/primary_layout.css" rel="stylesheet" type="text/css" /> </head> <body> <div id="wrapper"> <div id="large-blue-box"> <div id="form1"> <!-- <?php include("../includes/footer.inc"); ?> I would like to make all the below code an include --> <p><img src="../graphics/general/ai_banner.gif" alt="" width="180" height="28" /></p> <p><a href="concierge-setup.php"><img src="../graphics/general/concierge-setup_button.gif" width="180" height="28" /></a></p> <p><a href="accommodation.php"><img src="../graphics/general/accomodate_button.gif" width="180" height="28" /></a></p> <p><a href="general-log.php"><img src="../graphics/general/gen-log_button.gif" width="180" height="28" /></a></p> <p><a href="../index.php"><img src="../graphics/general/lo_button.gif" alt="" width="180" height="28" /></a></p> </div> <div id="form2"> <p><img src="../graphics/general/man_index_banner.gif" width="180" height="28" /></p> <p><a href="staff_management.php"><img src="../graphics/general/sm_button.gif" width="180" height="28" /></a></p> <p><a href="bed_management.php"><img src="../graphics/general/bm_button.gif" width="180" height="28" /></a></p> <p><a href="audit_system.php"><img src="../graphics/general/as_button.gif" width="180" height="28" /></a></p> <p><a href="shift_summary.php"><img src="../graphics/general/shift-summary_button.gif" width="180" height="28" /></a></p> </div> <div id="form3"> <p><img src="../graphics/general/recep_banner.gif" width="180" height="28" /></p> <p><a href="check-in-out_index.php"><img src="../graphics/general/check-inout_button.gif" width="180" height="28" /></a></p> <p><a href="delinquent_payments.php"><img src="../graphics/general/delinquent-payments_button.gif" width="180" height="28" /></a></p> <p><a href="reservations.php"><img src="../graphics/general/reservations_button.gif" width="180" height="28" /></a></p> <p><a href="misc_index.php"><img src="../graphics/general/miscellaneous_button.gif" width="180" height="28" /></a></p> </div> </div> <?php include("../includes/footer.inc"); ?> </div> </body> </html>I think I have found the last bit of the puzzle, this may have been an include in my
general pages.
<?php // if the log-out button is clicked, destroy the cookies // and tell the user that they have logged out. if ($submit) { setcookie('username', '', time() - 3600); setcookie('auth_level', '', time() - 3600); echo "You've successfully logged out."; } else { // Make sure that if someone is accessing // the page without access, that they can't // execute the script if (!$_COOKIE['username']) { header("Location: ../../index.php"); exit; } // otherwise, display their username and access level // when they first arrive from the auth.php link // and give them the option to log-out ?> <u>Your User Name</u>: <b><?php echo $_COOKIE['username'];?></b><br /> <form method="POST" action="http://localhost/concierge/"> <!-- <form method="POST" action="<?php echo $GLOBALS ['PHP_SELF'];?>"> <input type="submit" value="Logout" name="submit"> </form> <?php // close the script } ?>Here's something I discovered the session_start() (Whatever you call it) that is in the
auth.php script in combination with the <form action="scripts/authenticate/auth.php"
method="POST"> from the index.php authentication form is what's generating the session
cookie that is now residing in my browser. I found this last bit of code above that I
believe is designed to kill the session cookie.
What I need is something in the head of every page that check's that cookie data.
-
thorpe, thank you most kindly. As simple as that! Funny thing was, it worked 7 years ago.
-
Actually My georgebates, I have managed to read and understand the page you suggested I read it and none of it seems to apply to me. Here's why: the is no setcookie() used any where in the code on any of the pages, however a cookie is being generated. How's that?
-
georgebates, I have just looked at the page you suggested and it all looked like Greek to me, please excuse me if you are actually Greek. I am a newbie, you all started somewhere. I am trying to fix something I made and worked 7 years ago, since then my life was thrown upside down in New Orleans with Katrina, I haven't been near code in 5 years, I cant seem to remember a thing. All I am looking for is a little help. Fortunately I got some great help in the css area. Now I seem to have a handle on css again. My problem now lies with a bunch of php scripts that I cant believe I once wrote. But I did!
-
Pikachu2000, it seems like people simply move on to other problems. I have had about 4 people give suggestions that simply didn't work. Then my php issue is simply just forgotten about. So I have to re-post it, so I can get some fresh blood to take a look at it. Take yourself for example, your offering nothing but criticism. I do apologize if I sound rude, but it's a fact. It seems to me that I have to keep baiting the hook until someone helps me.
-
I don't know why I am getting these errors.
Notice: Use of undefined constant localhost - assumed 'localhost' in
C:\wamp\www\ edit.php on line 3
Notice: Use of undefined constant dbusername - assumed 'dbusername' in C:\wamp\www\ edit.php on line 3
Notice: Use of undefined constant dbpassword - assumed 'dbpassword' in C:\wamp\www\ edit.php on line 3
<?php mysql_connect(localhost,example,example) or die ("Problem connecting to DataBase"); $query = "select * from auth"; $result = mysql_db_query("example", $query); if ($result) { echo "<table width=100% align=center border=1 bordercolor=#808080 cellspacing=0 cellpadding=0 bordercolorlight=#808080 bordercolordark=#283A86><tr> <td align=center bgcolor=#283A86><font color=#FFFFFF><b>Edit:</b></td> <td align=center bgcolor=#283A86><font color=#FFFFFF><b>Name:</b></td> <td align=center bgcolor=#283A86><font color=#FFFFFF><b>Login:</b></td> <td align=center bgcolor=#283A86><font color=#FFFFFF><b>Privilage:</b></td> </tr>"; while ($r = mysql_fetch_array($result)) { $id = $r["id"]; $first_name = $r["first_name"]; $last_name = $r["last_name"]; $login = $r["login"]; $password = $r["password"]; $privilage = $r["privilage"]; echo "<tr> <td align=center> <a href=\"editing.php?id=$id&first_name=$first_name&last_name=$last_name&login=$login&password=$password&privilage=$privilage\">$id</a></td> <td>$first_name $last_name</td> <td>$login</td> <td>$privilage</td> </tr>"; } echo "</table>"; } else { echo "No data."; } mysql_free_result($result); ?> -
Authentication session problem.
Please can someone help me create a way of securing the pages of my website with a session cookie.
At present you can wander directorys simply by manipulating the URL.
I need a way to secure the pages if you do not have the correct credentials.
I want different users to have different levels of access.
Here's a copy of my present authentication form: index.php
<html> <head> <meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <title>Login</title> <link href="includes/primary_layout.css" rel="stylesheet" type="text/css" /> <!--[if IE]><style type="text/css">body { text-align: center; } #small-blue-box { text-align: left; }</style><![endif]--> <link href="../includes/primary_layout.css" rel="stylesheet" type="text/css" /> </head> <body onLoad="document.getElementById('account').focus()"> <div id="text"> <div id="wrapper"> <div id="small-blue-box"> <div id="form0"> <form action="scripts/authenticate/auth.php" method="POST"> <div> <div align="center"><img src="graphics/general/concierge_banner.gif" width="180" height="28">Account: <input name="account" type="text" id="account" value="info@example.com" size="20"> </div> </div> <div> <div align="center">Username: <input name="username" type="text" id="username" size="20"> </div> </div> <div> <label for="password"> <div align="center">Password: <input name="password" type="password" id="password" size="20"> </div> </div> <p align="center"> <input type="image" src="graphics/general/login_button.jpg" onClick="document.submit();> <p> <img src="graphics/general/login_button.jpg" width="150" height="28" alt="login"></p></form> </div> </div> <?php include("includes/footer.inc"); ?> </div> </body> </html>Here's a copy of the auth.php script: Which is called by the above.
<?php if (isset($_POST['username']) && isset($_POST['password'])) { $db = mysql_connect('localhost', 'example', 'example') or die("Couldn't connect to the database<br>" . mysql_error()); mysql_select_db('example', $db) or die("Couldn't select<br>" . mysql_error()); $login = mysql_real_escape_string($_POST['username'], $db); $password = mysql_real_escape_string($_POST['password'], $db); $query = "SELECT privilage FROM auth WHERE login = '$login' AND password = '$password'"; $result = mysql_query($query, $db) or die("Problem with the query: $query<br>" . mysql_error()); if (0 === mysql_num_rows($result)) { header('Location: ../../index.php'); exit(0); } $row = mysql_fetch_assoc($result); $privilage = $row['privilage']; session_start(); $_SESSION['username'] = $login; $_SESSION['privilage'] = $privilage; if ('receptionist' === $privilage) { header('Location: ../../receptionists/index.php'); exit(0); } if ('manager' === $privilage) { header('Location: ../../managers/index.php'); exit(0); } if ('administrator' === $privilage) { header('Location: ../../admin/index.php'); exit(0); } } ?>This is my present cookie information:
Name PHPSESSID
Value p2r4il0jeadghdoa7h4hb7uku5
Host www.example.com
Path /
Secure No
Expires At End Of Session
This is one of many pages I would like to secure:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Concierge Admin Index</title> <link href="../includes/primary_layout.css" rel="stylesheet" type="text/css" /> </head> <body> <div id="wrapper"> <div id="large-blue-box"> <div id="form1"> <!-- <?php include("../includes/footer.inc"); ?> I would like to make all the below code an include --> <p><img src="../graphics/general/ai_banner.gif" alt="" width="180" height="28" /></p> <p><a href="concierge-setup.php"><img src="../graphics/general/concierge-setup_button.gif" width="180" height="28" /></a></p> <p><a href="accommodation.php"><img src="../graphics/general/accomodate_button.gif" width="180" height="28" /></a></p> <p><a href="general-log.php"><img src="../graphics/general/gen-log_button.gif" width="180" height="28" /></a></p> <p><a href="../index.php"><img src="../graphics/general/lo_button.gif" alt="" width="180" height="28" /></a></p> </div> <div id="form2"> <p><img src="../graphics/general/man_index_banner.gif" width="180" height="28" /></p> <p><a href="staff_management.php"><img src="../graphics/general/sm_button.gif" width="180" height="28" /></a></p> <p><a href="bed_management.php"><img src="../graphics/general/bm_button.gif" width="180" height="28" /></a></p> <p><a href="audit_system.php"><img src="../graphics/general/as_button.gif" width="180" height="28" /></a></p> <p><a href="shift_summary.php"><img src="../graphics/general/shift-summary_button.gif" width="180" height="28" /></a></p> </div> <div id="form3"> <p><img src="../graphics/general/recep_banner.gif" width="180" height="28" /></p> <p><a href="check-in-out_index.php"><img src="../graphics/general/check-inout_button.gif" width="180" height="28" /></a></p> <p><a href="delinquent_payments.php"><img src="../graphics/general/delinquent-payments_button.gif" width="180" height="28" /></a></p> <p><a href="reservations.php"><img src="../graphics/general/reservations_button.gif" width="180" height="28" /></a></p> <p><a href="misc_index.php"><img src="../graphics/general/miscellaneous_button.gif" width="180" height="28" /></a></p> </div> </div> <?php include("../includes/footer.inc"); ?> </div> </body> </html> -
Thank's andrewgauger! So at the very top of every page I should put an ob_start()
e.g.
<!-- This is the beggining of the authentication addition --> ob_start() <!-- This is the end of the authentication addition --> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Concierge Admin Index</title> <link href="../includes/primary_layout.css" rel="stylesheet" type="text/css" /> </head> <body> <div id="wrapper"> <div id="large-blue-box"> <div id="form1"> <!-- <?php include("../includes/footer.inc"); ?> I would like to make all the below code an include --> <p><img src="../graphics/general/ai_banner.gif" alt="" width="180" height="28" /></p> <p><a href="concierge-setup.php"><img src="../graphics/general/concierge-setup_button.gif" width="180" height="28" /></a></p> <p><a href="accommodation.php"><img src="../graphics/general/accomodate_button.gif" width="180" height="28" /></a></p> <p><a href="general-log.php"><img src="../graphics/general/gen-log_button.gif" width="180" height="28" /></a></p> <p><a href="../index.php"><img src="../graphics/general/lo_button.gif" alt="" width="180" height="28" /></a></p> </div> <div id="form2"> <p><img src="../graphics/general/man_index_banner.gif" width="180" height="28" /></p> <p><a href="staff_management.php"><img src="../graphics/general/sm_button.gif" width="180" height="28" /></a></p> <p><a href="bed_management.php"><img src="../graphics/general/bm_button.gif" width="180" height="28" /></a></p> <p><a href="audit_system.php"><img src="../graphics/general/as_button.gif" width="180" height="28" /></a></p> <p><a href="shift_summary.php"><img src="../graphics/general/shift-summary_button.gif" width="180" height="28" /></a></p> </div> <div id="form3"> <p><img src="../graphics/general/recep_banner.gif" width="180" height="28" /></p> <p><a href="check-in-out_index.php"><img src="../graphics/general/check-inout_button.gif" width="180" height="28" /></a></p> <p><a href="delinquent_payments.php"><img src="../graphics/general/delinquent-payments_button.gif" width="180" height="28" /></a></p> <p><a href="reservations.php"><img src="../graphics/general/reservations_button.gif" width="180" height="28" /></a></p> <p><a href="misc_index.php"><img src="../graphics/general/miscellaneous_button.gif" width="180" height="28" /></a></p> </div> </div> <?php include("../includes/footer.inc"); ?> </div> </body> </html>andrewgauger
Yeah at the top, and then put an
ob_end_flush between your header() and exit() funcitons
I don't have a header and exit function. Please see above.
-
Authentication session problem.
Please help me create a way of securing the pages of my website with a session cookie.
At present you can wander directory's simply by manipulating the URL.
I need a way to secure the pages if you do not have the correct credentials.
I want different users to have different levels of access.
Here's a copy of my present authentication form: index.php
<html> <head> <meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <title>Login</title> <link href="includes/primary_layout.css" rel="stylesheet" type="text/css" /> <!--[if IE]><style type="text/css">body { text-align: center; } #small-blue-box { text-align: left; }</style><![endif]--> <link href="../includes/primary_layout.css" rel="stylesheet" type="text/css" /> </head> <body onLoad="document.getElementById('account').focus()"> <div id="text"> <div id="wrapper"> <div id="small-blue-box"> <div id="form0"> <form action="scripts/authenticate/auth.php" method="POST"> <div> <div align="center"><img src="graphics/general/concierge_banner.gif" width="180" height="28">Account: <input name="account" type="text" id="account" value="info@example.com" size="20"> </div> </div> <div> <div align="center">Username: <input name="username" type="text" id="username" size="20"> </div> </div> <div> <label for="password"> <div align="center">Password: <input name="password" type="password" id="password" size="20"> </div> </div> <p align="center"> <input type="image" src="graphics/general/login_button.jpg" onClick="document.submit();> <p> <img src="graphics/general/login_button.jpg" width="150" height="28" alt="login"></p></form> </div> </div> <?php include("includes/footer.inc"); ?> </div> </body> </html>Here's a copy of the auth.php script: Which is called by the above.
<?php if (isset($_POST['username']) && isset($_POST['password'])) { $db = mysql_connect('localhost', 'example', 'example') or die("Couldn't connect to the database<br>" . mysql_error()); mysql_select_db('example', $db) or die("Couldn't select<br>" . mysql_error()); $login = mysql_real_escape_string($_POST['username'], $db); $password = mysql_real_escape_string($_POST['password'], $db); $query = "SELECT privilage FROM auth WHERE login = '$login' AND password = '$password'"; $result = mysql_query($query, $db) or die("Problem with the query: $query<br>" . mysql_error()); if (0 === mysql_num_rows($result)) { header('Location: ../../index.php'); exit(0); } $row = mysql_fetch_assoc($result); $privilage = $row['privilage']; session_start(); $_SESSION['username'] = $login; $_SESSION['privilage'] = $privilage; if ('receptionist' === $privilage) { header('Location: ../../receptionists/index.php'); exit(0); } if ('manager' === $privilage) { header('Location: ../../managers/index.php'); exit(0); } if ('administrator' === $privilage) { header('Location: ../../admin/index.php'); exit(0); } } ?>This is my present cookie information:
Name PHPSESSID
Value p2r4il0jeadghdoa7h4hb7uku5
Host www.example.com
Path /
Secure No
Expires At End Of Session
This is one of many pages I would like to secure: I beleive I need something in the header of these pages that will stop people wandering.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Concierge Admin Index</title> <link href="../includes/primary_layout.css" rel="stylesheet" type="text/css" /> </head> <body> <div id="wrapper"> <div id="large-blue-box"> <div id="form1"> <!-- <?php include("../includes/footer.inc"); ?> I would like to make all the below code an include --> <p><img src="../graphics/general/ai_banner.gif" alt="" width="180" height="28" /></p> <p><a href="concierge-setup.php"><img src="../graphics/general/concierge-setup_button.gif" width="180" height="28" /></a></p> <p><a href="accommodation.php"><img src="../graphics/general/accomodate_button.gif" width="180" height="28" /></a></p> <p><a href="general-log.php"><img src="../graphics/general/gen-log_button.gif" width="180" height="28" /></a></p> <p><a href="../index.php"><img src="../graphics/general/lo_button.gif" alt="" width="180" height="28" /></a></p> </div> <div id="form2"> <p><img src="../graphics/general/man_index_banner.gif" width="180" height="28" /></p> <p><a href="staff_management.php"><img src="../graphics/general/sm_button.gif" width="180" height="28" /></a></p> <p><a href="bed_management.php"><img src="../graphics/general/bm_button.gif" width="180" height="28" /></a></p> <p><a href="audit_system.php"><img src="../graphics/general/as_button.gif" width="180" height="28" /></a></p> <p><a href="shift_summary.php"><img src="../graphics/general/shift-summary_button.gif" width="180" height="28" /></a></p> </div> <div id="form3"> <p><img src="../graphics/general/recep_banner.gif" width="180" height="28" /></p> <p><a href="check-in-out_index.php"><img src="../graphics/general/check-inout_button.gif" width="180" height="28" /></a></p> <p><a href="delinquent_payments.php"><img src="../graphics/general/delinquent-payments_button.gif" width="180" height="28" /></a></p> <p><a href="reservations.php"><img src="../graphics/general/reservations_button.gif" width="180" height="28" /></a></p> <p><a href="misc_index.php"><img src="../graphics/general/miscellaneous_button.gif" width="180" height="28" /></a></p> </div> </div> <?php include("../includes/footer.inc"); ?> </div> </body> </html>
MySQL/PHP/HTML data retrieval and modification forms pre global_variable.
in PHP Coding Help
Posted
I have tried PFMaBiSmAd suggestion to no avail! :'(