user and Admin check

designerguy · March 22, 2009

Hi there,

I have a login page which I would like to add a control panel to this page so if the user is admin and logs in then I would like to show the control panel if not then I would like the user to be redirected to the members area.

How would I check to see if the user is admin or not.

Thanks

ram4nd · March 22, 2009

Depends on how your login is built.

Maq · March 22, 2009

Probably sessions?

if($_SESSIONS['user_type'] == "admin")

ram4nd · March 22, 2009

If there is only 1 admin then session shouldn't be necessary.

Maq · March 22, 2009

If there is only 1 admin then session shouldn't be necessary.

Yeah I know, but it's impossible to tell when the OP doesn't provide any helpful information.

designerguy · March 22, 2009

If there is only 1 admin then session shouldn't be necessary.

Yeah I know, but it's impossible to tell when the OP doesn't provide any helpful information.

sorry. yes there are different Admins. I am going to check your code to see if that works.

FaT3oYCG · March 22, 2009

with sessions but as it has been said it depends how your user login system is built as mine is built with access levels from 1 - 10 at the moment with 9 of the 10 actually having user levels and one being a NULL level of access with no user, unregistered users are classed as level 10 and gods aka me only for my site classed as level 1 who would be abe to access and modify all closley followed by super users and administrators all the way down to plain old regular users

Maq · March 22, 2009

If there is only 1 admin then session shouldn't be necessary.

Yeah I know, but it's impossible to tell when the OP doesn't provide any helpful information.

sorry. yes there are different Admins. I am going to check your code to see if that works.

What code? We need you to tell us exactly how your login system works, specifically the user groups. So far you have given us no helpful information.

designerguy · March 22, 2009

with sessions but as it has been said it depends how your user login system is built as mine is built with access levels from 1 - 10 at the moment with 9 of the 10 actually having user levels and one being a NULL level of access with no user, unregistered users are classed as level 10 and gods aka me only for my site classed as level 1 who would be abe to access and modify all closley followed by super users and administrators all the way down to plain old regular users

I have four different user_types :

these are in the user_types table:

with the type_name and type_id fields

admin is 1

guest is 2

author is 3

user is 4

and I have another tables called users which contain all the fields such as user_type, first_name etc.

here it is the php code on the top of my page:


<?php

error_reporting(6143);
require_once("includes/db.inc.php");
//include the file that connects to the database


if( isset($_POST['btnSubmit']) ){
//the user has clicked the submit button
$un = trim($_POST['username']);		//our username field in the html form
$pw = trim($_POST['pwd']);				//out pwd field in the html form
$key = "1234";
$strSQL = "SELECT user_id, user_name, user_type
				FROM users
				WHERE user_name='$un' AND '$pw' = AES_DECRYPT(pwd_b, '$key') ";
//OR to use the MD5 column
$strSQLMD5 = "SELECT user_id, user_name, user_type
				FROM users
				WHERE user_name='$un' AND pwd = MD5('$pw') ";
$rs = mysql_query($strSQL, $oConn);

if( $rs  && mysql_num_rows($rs) == 1    ){
	//if the code gets to this point it means that the username and password matched
	//we could get all the information we need about the user from the database...
	$row = mysql_fetch_assoc($rs);



	if($_SESSIONS['user_type'] == "1") {

	header("Location: user-edit.php");

	} else if ($_SESSIONS['user_type'] !== "1"){

	$_SESSION['user_id'] =  $row['user_id'];
	$_SESSION['user_name'] = $row['user_name'];
	$_SESSION['user_type'] = $row['user_type'];	
	header("Location: members/members.php");			
	$feedback = "Successful login.";
}else{
	$errMsg = "Invalid Login";
}

}
}

?>

that doesnot seem to work

Maq · March 22, 2009

Does anything happen?

You should have session_start() at the top of all the pages you're using sessions in.

You can print out the session variables to make sure they're being set.

print_r($_SESSION);

It's also SESSION not SESSIONS (that's my fault, in my example I used the wrong one).

jackpf · March 22, 2009

My personal site has three user groups: users, moderators and admins.

When they go to log in, depending on what user group they are in, they have different cookies set. Then, when it comes to displaying stuff for certain user groups, I just check their cookies. Pretty simple really.

designerguy · March 22, 2009

I did change that SESSIONS to SESSION. How come I did not notice it. That is why being newbie sucks .

However it does not work. when I login as admin it redirects me to the member area rather than control panel.

In regards to cookies I am not sure if that is the secure way to check for admin or not.

and yes I do have session start in my db.inc.php

Maq · March 22, 2009

However it does not work. when I login as admin it redirects me to the member area rather than control panel.

That means it's failing here:

      if($_SESSIONS['user_type'] == "1") {

Have you echoed the session, specifically 'user_type', to ensure that it's 1, or even being set?

designerguy · March 22, 2009

However it does not work. when I login as admin it redirects me to the member area rather than control panel.

That means it's failing here:
      if($_SESSIONS['user_type'] == "1") {
Have you echoed the session, specifically 'user_type', to ensure that it's 1, or even being set?

No I have not. The code that I provided earlier is what I have. How would I do that please?

Maq · March 22, 2009

At the top of your script you can print out the whole session array:

print_r($_SESSION);

or you can just echo it out before your if statement:

echo $_SESSION['user_type'];
if($_SESSIONS['user_type'] == "1")

designerguy · March 22, 2009

At the top of your script you can print out the whole session array:
print_r($_SESSION);
or you can just echo it out before your if statement:
echo $_SESSION['user_type'];
if($_SESSIONS['user_type'] == "1")

I did add that but still dont work

Maq · March 22, 2009

At the top of your script you can print out the whole session array:
print_r($_SESSION);
or you can just echo it out before your if statement:
echo $_SESSION['user_type'];
if($_SESSIONS['user_type'] == "1")
I did add that but still dont work

It's not supposed to... It was for debugging purposes, does the echo print out the number '1'?

designerguy · March 22, 2009

At the top of your script you can print out the whole session array:
print_r($_SESSION);
or you can just echo it out before your if statement:
echo $_SESSION['user_type'];
if($_SESSIONS['user_type'] == "1")
I did add that but still dont work
It's not supposed to... It was for debugging purposes, does the echo print out the number '1'?

no it does not. However I solved the problem by adding this:


if($_SESSION['user_type']=$row['user_type'] == 1) {

	header("Location: user-edit.php");

	} else if ($_SESSION['user_type']=$row['user_type'] != 1){
header("Location: members.php");
}

Thanks a lot for the help.

designerguy · March 22, 2009

Actually i got problem with the login now by adding that. I will check and post back.

sKunKbad · March 22, 2009

Theres an semi-outdated login script that is full featured over at evolt.org:

http://www.evolt.org/PHP-Login-System-with-Admin-Features

It's worth checking out. I say it's outdated because it lacks some necessary security features to combat session fixation and session hijacking. I think you could use it with a few modifications.

Maq · March 22, 2009

Theres an semi-outdated login script that is full featured over at evolt.org:

http://www.evolt.org/PHP-Login-System-with-Admin-Features

It's worth checking out. I say it's outdated because it lacks some necessary security features to combat session fixation and session hijacking. I think you could use it with a few modifications.

I'm not sure you want to use that, it's from 2004 and uses some old methods and like skunkbad said, it contains security flaws. Although, you could get some good design ideas from it.

Sign In

user and Admin check

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation

Important Information