iarp Posted April 18, 2008 Share Posted April 18, 2008 Hey, this is my story. In the header file i have this: $userlevel = $_SESSION[‘userlevel’] On my admin pages i've put: include ('../includes/header.php'); if ($userlevel == "9"){ ?> <div id="content"> <!—Show admin content here à </div> <!-- END CONTENT --> <?php include ('../includes/footer.php'); } else { <!—if the person requesting the page is not the correct userlevel, redirect them to the home page. --> $url = 'http://' . $_SERVER['HTTP_HOST']; if ((substr($url, -1) =='/') OR (substr($url, -1) == '\\') ) { $url = substr ($url, 0, -1); // Chop off the slash. } $url .= '/index.php'; header("Location: $url"); exit(); } ?> Now what i’m worried that someone with better knowledge in this field will be able to get by this very easily. p.s. i'm using if ($userlevel == "9") { echo '<a href="../admin/view_users.php">View Users</a><br />'; } for my menu items.. should seem to be fine. Any helps appreciated -- Thanks Iarp Quote Link to comment https://forums.phpfreaks.com/topic/101640-authenticating-the-user-according-to-level-set-in-the-database/ Share on other sites More sharing options...
unidox Posted April 18, 2008 Share Posted April 18, 2008 How would they get by? Make sure it is numeric and because it is a session, someone would have to access your server in order to set the same session. That way is secure. Quote Link to comment https://forums.phpfreaks.com/topic/101640-authenticating-the-user-according-to-level-set-in-the-database/#findComment-520047 Share on other sites More sharing options...
iarp Posted April 18, 2008 Author Share Posted April 18, 2008 I've very new to this php & mysql integration, i just finish going through like 4 books on it... kind of a drag but it helped more then i thought. As i have it admin is 9, guest is 1 and user is 2. And i didn't know if there was a possible way for someone to forge the number and get by without my passwords and such, thanks though. Safer to ask then hope it doesn't happen to you. Quote Link to comment https://forums.phpfreaks.com/topic/101640-authenticating-the-user-according-to-level-set-in-the-database/#findComment-520074 Share on other sites More sharing options...
rameshfaj Posted April 18, 2008 Share Posted April 18, 2008 Why are u statically checking numerical values like 1,2,9 etc?Instead store something in database that is encrypted.Now while comparing also compare with the encrypted values so that it would be more secure and safe. Quote Link to comment https://forums.phpfreaks.com/topic/101640-authenticating-the-user-according-to-level-set-in-the-database/#findComment-520107 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.