lingo5 Posted April 30, 2010 Share Posted April 30, 2010 Hi, I have done a simple user login system that allows for an admin to access a private control panel. What I need to do now is to make it multi-user, so that every registered user will be able to logon and access only his data. How can I do this?. At the moment all users access all info and this in not good. Thanks Quote Link to comment Share on other sites More sharing options...
shedokan Posted April 30, 2010 Share Posted April 30, 2010 First you'll need to save users somewhere, like a database. Then at the place where you check if the password and username matches the admins database and password you just search for a match in the database where username equals the username entered and the password equals the one entered, if one of them doesn't match then login fails. Like: "SELECT id FROM users WHERE username = '$username' AND password = '$password'" if a match was not found then user can't login. PS: it's better you'll use md5 hashed passwords to protext your users privacy. Quote Link to comment Share on other sites More sharing options...
lingo5 Posted May 3, 2010 Author Share Posted May 3, 2010 Thanks shedokan, but I already have that. What I need is to redirect each user to his page when logged in. Quote Link to comment Share on other sites More sharing options...
shedokan Posted May 4, 2010 Share Posted May 4, 2010 oh... what do you mean by "his data"? the data that he inserted or data he can view with his role? like admin can view all data moderators can only view some data and only delete some data normal users can delete only their own data etc. Quote Link to comment Share on other sites More sharing options...
ignace Posted May 4, 2010 Share Posted May 4, 2010 PS: it's better you'll use md5 hashed passwords to protext your users privacy. You ever heard of a rainbow table? You should not only hash it but also salt it, like: md5( concat( password_salt, md5( '$password' ) ) ) Quote Link to comment Share on other sites More sharing options...
lingo5 Posted May 4, 2010 Author Share Posted May 4, 2010 Hi shedokan, at the moment the admin can access everybodie's records and add, delete and edit them. I would like each user to access a page that contains only the record that belongs to him. Quote Link to comment Share on other sites More sharing options...
lingo5 Posted May 4, 2010 Author Share Posted May 4, 2010 This is the code I use at the moment: // *** Validate request to login to this site. if (!isset($_SESSION)) { session_start(); } $loginFormAction = $_SERVER['PHP_SELF']; if (isset($_GET['accesscheck'])) { $_SESSION['PrevUrl'] = $_GET['accesscheck']; } if (isset($_POST['user'])) { $loginUsername=$_POST['user']; $password=$_POST['password']; $MM_redirectLoginSuccess = "PC_main.php"; $MM_redirectLoginFailed = "index.php?failed=true"; $MM_redirecttoReferrer = false; mysql_select_db($database_amat_connect, $amat_connect); $LoginRS__query=sprintf("SELECT usuariologin, usuariopassword FROM t_usuarios WHERE usuariologin=%s AND usuariopassword=%s", GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text")); $LoginRS = mysql_query($LoginRS__query, $amat_connect) or die(mysql_error()); $loginFoundUser = mysql_num_rows($LoginRS); if ($loginFoundUser) { $loginStrGroup = mysql_result($LoginRS,0); //declare two session variables and assign them $_SESSION['MM_Username'] = $loginUsername; $_SESSION['MM_UserGroup'] = $loginStrGroup; if (isset($_SESSION['PrevUrl']) && false) { $MM_redirectLoginSuccess = $_SESSION['PrevUrl']; } header("Location: " . $MM_redirectLoginSuccess ); } else { header("Location: ". $MM_redirectLoginFailed ); } } Quote Link to comment Share on other sites More sharing options...
shedokan Posted May 4, 2010 Share Posted May 4, 2010 Hi shedokan, at the moment the admin can access everybodie's records and add, delete and edit them. I would like each user to access a page that contains only the record that belongs to him. You can store a unique ID for each user and when they enter a page you check whose user id the page is. if it's an admin allow him to access all pages if it's a normal user check if his user id matches the one of the page. like if you have profile.php?uid=18 then you check if the current logged in user has an id of 18. Quote Link to comment Share on other sites More sharing options...
lingo5 Posted May 4, 2010 Author Share Posted May 4, 2010 Thanks again shedokan, but I don't know how to do that. Could you give me a code example based on mine?. How would I show a user its record only? Quote Link to comment Share on other sites More sharing options...
shedokan Posted May 4, 2010 Share Posted May 4, 2010 it depends on your records, for example if you save a record as a row in the database then you can add a column with the user's id, like you have an adrress table: | firstname | lastname | | - - - - - - - | - - - - - - - - | | Joe | Something | | Jay | Family | Then you can add a column says the id of the user like: | uid | firstname | lastname | | - - -| - - - - - - - | - - - - - - - - | | 1 | Joe | Something | | 2 | Jay | Family | And then you know that Joe Something belongs to the user with the ID of 1 and in your user's table you have: | id | username | password | | - - -| - - - - - - - | - - - - - - - -| | 1 | user1 | ******* | | 2 | user2 | ******* | So when a user get's logged in you save the user's id in the session or cookie, and when a user trieds to access an address you check the uid of the address, like if user1 tries to access "Joe Family" you don't allow him because the uid on Joe Family is 2 and user1 has an id or 1. Did that help you? Quote Link to comment Share on other sites More sharing options...
lingo5 Posted May 4, 2010 Author Share Posted May 4, 2010 Yes shedokan, that helps a lot. The next problem is how do I save the user id in a session? Quote Link to comment Share on other sites More sharing options...
shedokan Posted May 5, 2010 Share Posted May 5, 2010 Yes shedokan, that helps a lot. The next problem is how do I save the user id in a session? That depends on your login system, after the user logs in how do you keep him logged in? I mean once that the user logs in and you send him to another page how do you know he's already logged in and you don't have to send him to the login page? Quote Link to comment Share on other sites More sharing options...
lingo5 Posted May 5, 2010 Author Share Posted May 5, 2010 Hi shedokan, this is the code I use to login the users: <?php if (!isset($_SESSION)) { session_start(); } $MM_authorizedUsers = ""; $MM_donotCheckaccess = "true"; // *** Restrict Access To Page: Grant or deny access to this page function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) { // For security, start by assuming the visitor is NOT authorized. $isValid = False; // When a visitor has logged into this site, the Session variable MM_Username set equal to their username. // Therefore, we know that a user is NOT logged in if that Session variable is blank. if (!empty($UserName)) { // Besides being logged in, you may restrict access to only certain users based on an ID established when they login. // Parse the strings into arrays. $arrUsers = Explode(",", $strUsers); $arrGroups = Explode(",", $strGroups); if (in_array($UserName, $arrUsers)) { $isValid = true; } // Or, you may restrict access to only certain users based on their username. if (in_array($UserGroup, $arrGroups)) { $isValid = true; } if (($strUsers == "") && true) { $isValid = true; } } return $isValid; } $MM_restrictGoTo = "index.php"; if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) { $MM_qsChar = "?"; $MM_referrer = $_SERVER['PHP_SELF']; if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&"; if (isset($QUERY_STRING) && strlen($QUERY_STRING) > 0) $MM_referrer .= "?" . $QUERY_STRING; $MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer); header("Location: ". $MM_restrictGoTo); exit; } ?> Quote Link to comment Share on other sites More sharing options...
lingo5 Posted May 7, 2010 Author Share Posted May 7, 2010 I need help with this please. This is the script I use to log users in. I need to redirect them to their personal URL on success, but when I try that the script fails and I get a blank screen. Please see the line of code that gives an error when I modify it. // *** Validate request to login to this site. if (!isset($_SESSION)) { session_start(); } $loginFormAction = $_SERVER['PHP_SELF']; if (isset($_GET['accesscheck'])) { $_SESSION['PrevUrl'] = $_GET['accesscheck']; } if (isset($_POST['user'])) { $loginUsername=$_POST['user']; $password=$_POST['password']; $MM_redirectLoginSuccess = "PC_main.php"; // I tred to add this [color=red]?id_E=<?php echo $row_Login['id_E']; ?>[/color] and the script fails $MM_redirectLoginFailed = "index.php?failed=true"; $MM_redirecttoReferrer = false; mysql_select_db($database_amat_connect, $amat_connect); $LoginRS__query=sprintf("SELECT usuariologin, usuariopassword, id_E FROM t_usuarios WHERE usuariologin=%s AND usuariopassword=%s", GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text")); $LoginRS = mysql_query($LoginRS__query, $amat_connect) or die(mysql_error()); Quote Link to comment Share on other sites More sharing options...
shedokan Posted May 7, 2010 Share Posted May 7, 2010 To add something to a php string you don't use echo you do: $MM_redirectLoginSuccess = "PC_main.php?id_E=".$row_Login['id_E']; the dot adds two strings together. Quote Link to comment Share on other sites More sharing options...
lingo5 Posted May 7, 2010 Author Share Posted May 7, 2010 Thanks Shedokan. I have added $MM_redirectLoginSuccess = "PC_asociados_update.php?id_E=".$LoginRS['id_E']; ow and the scrip works but the variable id_E is nos passes to the next page. My idea is to pass the id_E variable to the user update page, so that when a user logs in it goes straight to the update page that belongs to it. Do I make sense? Quote Link to comment Share on other sites More sharing options...
shedokan Posted May 7, 2010 Share Posted May 7, 2010 The problem is that you don't save the user's id or anything in the session, so people that are not logged in can view all pages. So that user can change the page from PC_asociados_update.php?id_E=1 to PC_asociados_update.php?id_E=2 manually and you will allow him. You need to save the user's id, username and password in the session and at the load of each page check it in the database. Quote Link to comment Share on other sites More sharing options...
lingo5 Posted May 7, 2010 Author Share Posted May 7, 2010 OK I see. I don't know how to do that. Could you please help?. I'm really stuck with this. Thanks for your help Quote Link to comment Share on other sites More sharing options...
shedokan Posted May 8, 2010 Share Posted May 8, 2010 This has turned to be more than application design thread, ask for help in the help forum. you can also try some different tutorials on user login systems in php. I'm sorry I can't help you here. Quote Link to comment Share on other sites More sharing options...
Tohou Posted May 8, 2010 Share Posted May 8, 2010 Read most of the replies here, as it seems people are really using weird methods when it comes to multi-user login/user stuff, instead of adding on to this weird stuff, You should write your own class. It's pretty simple DB: username, password, time, session, logged, ip on login set unique session id and ip set session code to cookie and DB, set ip to DB on page view, check cookies, match session and users ip with DB entry set particular $_SESSION ie: $_SESSION['user_logged'] to true and $_SESSION['username'] to Cookie value if $_SESSION['user_logged'] allow access Use $_SESSION['username'] to determine users actual username. Pretty simple. If sessions aren't cool set them with class functions ie: class system { function loaditbish($user,$logged) { $this->logged = $logged; $this->user = $user; } } $sys = new system; $sys->loaditbish($user,$logged); if ($sys->logged == true) echo 'Happy crazy fun time'; Quote Link to comment Share on other sites More sharing options...
shedokan Posted May 8, 2010 Share Posted May 8, 2010 Read most of the replies here, as it seems people are really using weird methods when it comes to multi-user login/user stuff, instead of adding on to this weird stuff, You should write your own class. It's pretty simple DB: username, password, time, session, logged, ip on login set unique session id and ip set session code to cookie and DB, set ip to DB on page view, check cookies, match session and users ip with DB entry set particular $_SESSION ie: $_SESSION['user_logged'] to true and $_SESSION['username'] to Cookie value if $_SESSION['user_logged'] allow access Use $_SESSION['username'] to determine users actual username. Pretty simple. If sessions aren't cool set them with class functions ie: class system { function loaditbish($user,$logged) { $this->logged = $logged; $this->user = $user; } } $sys = new system; $sys->loaditbish($user,$logged); if ($sys->logged == true) echo 'Happy crazy fun time'; what if someone hacked into someone's account and the real account owner changed the password? the account will be still logged in. He should check if the username and password are valid for each page. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.