Authenticating the user according to level set in the database.

[iarp]

Hey, this is my story.

 

In the header file i have this:

 

$userlevel = $_SESSION[‘userlevel’]

 

On my admin pages i've put:

 

include ('../includes/header.php'); 

if ($userlevel == "9"){
?>
                <div id="content">

                <!—Show admin content here à

                </div> <!-- END CONTENT -->
<?php
include ('../includes/footer.php');
} else {
                <!—if the person requesting the page is not the correct userlevel, redirect them to the home page. -->

                                                $url = 'http://' . $_SERVER['HTTP_HOST'];
                                                if ((substr($url, -1) =='/') OR (substr($url, -1) == '\\') ) {
                                                                $url = substr ($url, 0, -1); // Chop off the slash.
                                                }
                                                $url .= '/index.php';
                                                header("Location: $url");
                                                exit(); 
}
?>

 

Now what i’m worried that someone with better knowledge in this field will be able to get by this very easily.

p.s. i'm using

 if ($userlevel == "9") { echo '<a href="../admin/view_users.php">View Users</a><br />'; }

for my menu items.. should seem to be fine.

 

Any helps appreciated

--

Thanks

Iarp

[unidox]

How would they get by? Make sure it is numeric and because it is a session, someone would have to access your server in order to set the same session. That way is secure.

[iarp]

I've very new to this php & mysql integration, i just finish going through like 4 books on it... kind of a drag but it helped more then i thought.

 

As i have it admin is 9, guest is 1 and user is 2.

 

And i didn't know if there was a possible way for someone to forge the number and get by without my passwords and such, thanks though. Safer to ask then hope it doesn't happen to you.

[rameshfaj]

Why are u statically checking numerical values like 1,2,9 etc?Instead store something in database that is encrypted.Now  while comparing also compare with the encrypted values so that it would be more secure and safe.