user and Admin check

[designerguy]

Hi there,

 

I have a login page which I would like to add a control panel to this page so if the user is admin and logs in then I would like to show the control panel if not then I would like the user to be redirected to the members area.

 

How would I check to see if the user is admin or not.

 

Thanks

[ram4nd]

Depends on how your login is built.

[Maq]

Probably sessions?

 

if($_SESSIONS['user_type'] == "admin") 

[ram4nd]

If there is only 1 admin then session shouldn't be necessary.

[Maq]

If there is only 1 admin then session shouldn't be necessary.

 

Yeah I know, but it's impossible to tell when the OP doesn't provide any helpful information.

[designerguy]

If there is only 1 admin then session shouldn't be necessary.

 

Yeah I know, but it's impossible to tell when the OP doesn't provide any helpful information.

 

sorry. yes there are different Admins. I am going to check your code to see if that works.

[FaT3oYCG]

with sessions but as it has been said it depends how your user login system is built as mine is built with access levels from 1 - 10 at the moment with 9 of the 10 actually having user levels and one being a NULL level of access with no user, unregistered users are classed as level 10 and gods aka me only for my site classed as level 1 who would be abe to access and modify all closley followed by super users and administrators all the way down to plain old regular users

[Maq]

If there is only 1 admin then session shouldn't be necessary.

 

Yeah I know, but it's impossible to tell when the OP doesn't provide any helpful information.

 

sorry. yes there are different Admins. I am going to check your code to see if that works.

 

What code?  We need you to tell us exactly how your login system works, specifically the user groups.  So far you have given us no helpful information.

[designerguy]

with sessions but as it has been said it depends how your user login system is built as mine is built with access levels from 1 - 10 at the moment with 9 of the 10 actually having user levels and one being a NULL level of access with no user, unregistered users are classed as level 10 and gods aka me only for my site classed as level 1 who would be abe to access and modify all closley followed by super users and administrators all the way down to plain old regular users

 

I have four different user_types :

 

 

these are in the user_types table:

with the type_name and type_id fields

 

admin is 1

guest is 2

author is 3

user is 4

 

and I have another tables called users which contain all the fields such as user_type, first_name etc.

 

here it is the php code on the top of my page:

<?php

error_reporting(6143);
require_once("includes/db.inc.php");
//include the file that connects to the database


if( isset($_POST['btnSubmit']) ){
//the user has clicked the submit button
$un = trim($_POST['username']);		//our username field in the html form
$pw = trim($_POST['pwd']);				//out pwd field in the html form
$key = "1234";
$strSQL = "SELECT user_id, user_name, user_type
				FROM users
				WHERE user_name='$un' AND '$pw' = AES_DECRYPT(pwd_b, '$key') ";
//OR to use the MD5 column
$strSQLMD5 = "SELECT user_id, user_name, user_type
				FROM users
				WHERE user_name='$un' AND pwd = MD5('$pw') ";
$rs = mysql_query($strSQL, $oConn);

if( $rs  && mysql_num_rows($rs) == 1    ){
	//if the code gets to this point it means that the username and password matched
	//we could get all the information we need about the user from the database...
	$row = mysql_fetch_assoc($rs);



	if($_SESSIONS['user_type'] == "1") {

	header("Location: user-edit.php");

	} else if ($_SESSIONS['user_type'] !== "1"){

	$_SESSION['user_id'] =  $row['user_id'];
	$_SESSION['user_name'] = $row['user_name'];
	$_SESSION['user_type'] = $row['user_type'];	
	header("Location: members/members.php");			
	$feedback = "Successful login.";
}else{
	$errMsg = "Invalid Login";
}

}
}

?>

 

that doesnot seem to work

[Maq]

Does anything happen?

 

You should have session_start() at the top of all the pages you're using sessions in.

 

You can print out the session variables to make sure they're being set.

 

print_r($_SESSION);

 

It's also SESSION not SESSIONS (that's my fault, in my example I used the wrong one).

[jackpf]

My personal site has three user groups: users, moderators and admins.

 

When they go to log in, depending on what user group they are in, they have different cookies set. Then, when it comes to displaying stuff for certain user groups, I just check their cookies. Pretty simple really.

[designerguy]

I did change that SESSIONS to SESSION. How come I did not notice it. That is why being newbie sucks .

 

However it does not work. when I login as admin it redirects me to the member area rather than control panel.

 

In regards to cookies I am not sure if that is the secure way to check for admin or not.

 

and yes I do have session start in my db.inc.php

[Maq]

However it does not work. when I login as admin it redirects me to the member area rather than control panel.

 

That means it's failing here:

 

      if($_SESSIONS['user_type'] == "1") {

 

Have you echoed the session, specifically 'user_type', to ensure that it's 1, or even being set?

[designerguy]

However it does not work. when I login as admin it redirects me to the member area rather than control panel.

 

That means it's failing here:

 

      if($_SESSIONS['user_type'] == "1") {

 

Have you echoed the session, specifically 'user_type', to ensure that it's 1, or even being set?

 

No I have not. The code that I provided earlier is what I have. How would I do that please?

[Maq]

At the top of your script you can print out the whole session array:

 

print_r($_SESSION);

 

or you can just echo it out before your if statement:

 

echo $_SESSION['user_type'];
if($_SESSIONS['user_type'] == "1")

 

[designerguy]

At the top of your script you can print out the whole session array:

 

print_r($_SESSION);

 

or you can just echo it out before your if statement:

 

echo $_SESSION['user_type'];
if($_SESSIONS['user_type'] == "1")

 

I did add that but still dont work

[Maq]

At the top of your script you can print out the whole session array:

 

print_r($_SESSION);

 

or you can just echo it out before your if statement:

 

echo $_SESSION['user_type'];
if($_SESSIONS['user_type'] == "1")

 

I did add that but still dont work

 

It's not supposed to...  It was for debugging purposes, does the echo print out the number '1'?

[designerguy]

At the top of your script you can print out the whole session array:

 

print_r($_SESSION);

 

or you can just echo it out before your if statement:

 

echo $_SESSION['user_type'];
if($_SESSIONS['user_type'] == "1")

 

I did add that but still dont work

 

It's not supposed to...  It was for debugging purposes, does the echo print out the number '1'?

 

no it does not. However I solved the problem by adding this:

 

if($_SESSION['user_type']=$row['user_type'] == 1) {

	header("Location: user-edit.php");

	} else if ($_SESSION['user_type']=$row['user_type'] != 1){
header("Location: members.php");
}

 

Thanks a lot for the help.

[designerguy]

Actually i got problem with the login now by adding that. I will check and post back.

[sKunKbad]

Theres an semi-outdated login script that is full featured over at evolt.org:

 

http://www.evolt.org/PHP-Login-System-with-Admin-Features

 

It's worth checking out. I say it's outdated because it lacks some necessary security features to combat session fixation and session hijacking. I think you could use it with a few modifications.

 

 

[Maq]

Theres an semi-outdated login script that is full featured over at evolt.org:

 

http://www.evolt.org/PHP-Login-System-with-Admin-Features

 

It's worth checking out. I say it's outdated because it lacks some necessary security features to combat session fixation and session hijacking. I think you could use it with a few modifications.

 

 

 

I'm not sure you want to use that, it's from 2004 and uses some old methods and like skunkbad said, it contains security flaws.  Although, you could get some good design ideas from it.