[SOLVED] code help please

[twobyfour2]

OK here we go,

 

In mysql, usernames and passwords are stored in rows.

When a user logs in, the user goes to a default page. On that page, there are links that connect to other protected pages that he/she has to be authorized to get to. It is a seperate validation. He must be logged in and be authorized to goto these other pages. Users may get to the default page without ever needing to get to the other pages.

 

I am setting a variable in mysql under column X. To get to the other protected pages, the user must have a variable in is mysql row where the username and password are kept and have the set variable that I add in mysql under the column X.

 

How do I code for this. I tried so many I am about to puke. The codes I tried do not check for the variable that is set in mysql.

 

Please help.

[mellis95]

Register value of column X in a session variable and then on each restricted page do something along these lines: (I use a value of 1 to mean the user is authorized, 0 is not authorized)

 

<?
session_start();
if(!session_is_registered(myusername)){
header("location:../index.php");
}
session_start();
if(($_SESSION[x])==1) {
header("location:http://restricted_page.php");
}

elseif(($_SESSION[x])==0) {
header("location:http://unrestricted_main_page.php");
}
?>

[twobyfour2]

so far this works half way. do i put this code in the page that they are connecting to? if i do

what should i put here

header("location:http://restricted_page.php");

 

if i put the url here then the link they click on will be the same url that is put here causing an error. however the url redirects the user to the error page perfectly. thanks for you help. i have been racken my brain around this for some time.

[akitchin]

presuming that you have authentication in place that verifies the user's username and password, on the protected pages, you may simply add an item to the WHERE clause that checks the user's info:

 

SELECT stuff FROM users WHERE username='$whatever' AND password='$whatever2' AND column='X'

 

if the user doesn't have the appropriate value in `column`, the query won't SELECT anything (even if the username and password exist and are correct) and the authentication will fail.

 

it's hard to offer any other solutions or fixes without seeing the relevant code you're currently working with.

[Rommeo]

so far this works half way. do i put this code in the page that they are connecting to? if i do

what should i put here

header("location:http://restricted_page.php");

 

if i put the url here then the link they click on will be the same url that is put here causing an error. however the url redirects the user to the error page perfectly. thanks for you help. i have been racken my brain around this for some time.

instead, you can create a file which verifies the user and include it to restricted pages.

like :

if ( user verified ) echo "username logged in";

else echo " you're not allowed to view this page"; exit;

[twobyfour2]

the protected pages require the fuction.php file and the config.php file

here is the function.php

<?php

//function to get the date
function last_login()
{
$date = gmdate("d-M-Y h:i:s A", time() + $zone) . ' GMT';
return $date;
}

//function that sets the session variable
function sess_vars($base_dir, $server, $dbusername, $dbpassword, $db_name, $table_name, $user, $pass)
{


//make connection to dbase
$connection = @mysql_connect($server, $dbusername, $dbpassword)
			or die(mysql_error());

$db = @mysql_select_db($db_name,$connection)
			or die(mysql_error());

$sql = "SELECT * FROM $table_name WHERE username = '$user' and password = password('$pass')";

$result = @mysql_query($sql, $connection) or die(mysql_error());


//get the number of rows in the result set
$num = mysql_num_rows($result);

//set session variables if there is a match
if ($num != 0) 
{
	while ($sql = mysql_fetch_object($result)) 
	{
		$_SESSION[first_name] 	= $sql -> firstname;
		$_SESSION[last_name] 	= $sql -> lastname; 
		$_SESSION[user_name] 	= $sql -> username;       
		$_SESSION[password] 	= $sql -> password;
		$_SESSION[group1]	 	= $sql -> group1;
		$_SESSION[group2]	 	= $sql -> group2;
		$_SESSION[group3] 		= $sql -> group3;
		$_SESSION[pchange]		= $sql -> pchange;  
		$_SESSION[email] 		= $sql -> email;
		$_SESSION[redirect]		= $sql -> redirect;
		$_SESSION[verified]		= $sql -> verified;
		$_SESSION[last_login]	= $sql -> last_login;
		$_SESSION[memberid]	= $sql -> memberid;
	}
}else{
	$_SESSION[redirect] = "$base_dir/errorlogin.html";
}
}

//functions that will determine if access is allowed
function allow_access($group)
{
if ($_SESSION[group1] == "$group" || $_SESSION[group2] == "$group" || $_SESSION[group3] == "$group" ||
	$_SESSION[group1] == "Administrators" || $_SESSION[group2] == "Administrators" || $_SESSION[group3] == "Administrators" ||
	$_SESSION[user_name] == "$group")
	{
		$allowed = "yes";
	}else{
		$allowed = "no";
	}
return $allowed;
}

//function to check the length of the requested password
function password_check($min_pass, $max_pass, $pass)
{

$valid = "yes";
if ($min_pass > strlen($pass) || $max_pass < strlen($pass))
{
	$valid = "no";
}

return $valid;
}

?>

 

and the redirect.php file after user logs in

<?php

//prevents caching
header("Expires: Sat, 01 Jan 2000 00:00:00 GMT");
header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");
header("Cache-Control: post-check=0, pre-check=0",false);
session_cache_limiter();

session_start();

//clear session variables
session_unset();


//require the functions file
require ("config.php");
require ("functions.php");

//check to see if cookies are already set, remember me
if ((!$lr_user) || (!$lr_pass))
{

$username = $_POST[username];
$password = $_POST[password];

}else{

$username = $lr_user;
$password = $lr_pass;

}

//if username or password is blank, send to errorlogin.html
if ((!$username) || (!$password)) 
{

header("Location:$base_dir/errorlogin.html");
exit;
}


//sets cookies to remember this computer if the user asks to
if ($_POST[remember] == "Yes")
{
setcookie("lr_user", $username, $duration, "/", $domain);
setcookie("lr_pass", $password, $duration, "/", $domain);
}

if ($_POST[activate] == "Yes")
{
	//make the connection to the database
	$connection = @mysql_connect($server, $dbusername, $dbpassword) or die(mysql_error());
	$db = @mysql_select_db($db_name,$connection)or die(mysql_error());

	//build and issue the query
	$sql ="UPDATE $table_name SET verified = '1' WHERE username = '$_POST[username]'";
	$result = @mysql_query($sql,$connection) or die(mysql_error());
}

//sets session variables
sess_vars($base_dir, $server, $dbusername, $dbpassword, $db_name, $table_name, $username, $password);

//check to see if the user has to change their password
if ($_SESSION[pchange] == "1")
{
$_SESSION[redirect] = "$base_dir/pass_change.html";
}

//check to see if the user has activated the account
if ($_SESSION[verified] == "0")
{
$_SESSION[redirect] = "$base_dir/not_activated.html";
}

//make the connection to the database
$connection = @mysql_connect($server, $dbusername, $dbpassword) or die(mysql_error());
$db = @mysql_select_db($db_name,$connection)or die(mysql_error());

//build and issue the query
$sql ="SELECT * FROM banned";
$result = @mysql_query($sql,$connection) or die(mysql_error());

while ($sql = mysql_fetch_object($result)) 
{
$banned = $sql -> no_access;
if ($username == $banned || $REMOTE_ADDR == $banned)
	{
		include ('banned.html');
		exit;
	}
}

$last_log = last_login();

//updates table with last log as now
$sql = "UPDATE $table_name SET last_login = '$last_log' WHERE username = '$_SESSION[user_name]'";
$result = @mysql_query($sql,$connection) or die(mysql_error());

if (($_SESSION[redirect] != "$base_dir/errorlogin.html") && ($log_login == "1"))
{
include('loglogin.php');
}

//redirects the user	
header("Location:$_SESSION[redirect]")				

?>


<head><title>Redirect</title></head>

please let me know what else you need.

[twobyfour2]

Alright, i got it. Thanks mellis95 and Rommeo. I combined your suggestions and came up with a working code. I am slowly uderstanding php and mysql.