paddyhaig Posted May 18, 2010 Share Posted May 18, 2010 I have a php mySQL authentication script setup, that should allow different users to go into different directory's. The problem is users just by manipulating the URL can hop directory's. I want to be able to lock users into their respective directory. I believe this can be done with session cookies, however I am a bit lost. Any help greatly appreciated. Here's a copy of my authentication script: <php> <?php if (isset($_POST['username']) && isset($_POST['password'])) { $db = mysql_connect('localhost', 'example', 'example') or die("Couldn't connect to the database<br>" . mysql_error()); mysql_select_db('example', $db) or die("Couldn't select<br>" . mysql_error()); $login = mysql_real_escape_string($_POST['username'], $db); $password = mysql_real_escape_string($_POST['password'], $db); $query = "SELECT privilage FROM auth WHERE login = '$login' AND password = '$password'"; $result = mysql_query($query, $db) or die("Problem with the query: $query<br>" . mysql_error()); if (0 === mysql_num_rows($result)) { header('Location: ../../index.php'); exit(0); } $row = mysql_fetch_assoc($result); $privilage = $row['privilage']; session_start(); $_SESSION['username'] = $login; $_SESSION['privilage'] = $privilage; if ('receptionist' === $privilage) { header('Location: ../../receptionists/index.php'); exit(0); } if ('manager' === $privilage) { header('Location: ../../managers/index.php'); exit(0); } if ('administrator' === $privilage) { header('Location: ../../admin/index.php'); exit(0); } } ?> Quote Link to comment Share on other sites More sharing options...
DavidAM Posted May 19, 2010 Share Posted May 19, 2010 At the top of each page, just test the privilege value and if they are not in that directory, send them where they belong: session_start(); if (! isset$_SESSION['privilage'])) { // User not logged in header('Location: ../../index.php'); exit(0); } $privilage = $_SESSION['privilage']; if ($privilage != 'receptionist') { // or what ever directory this page is in if ('receptionist' === $privilage) { header('Location: ../../receptionists/index.php'); exit(0); } if ('manager' === $privilage) { header('Location: ../../managers/index.php'); exit(0); } if ('administrator' === $privilage) { header('Location: ../../admin/index.php'); exit(0); } } of course, if you change the system so the privilage and directory names are the same, you can simplify that: session_start(); if (! isset$_SESSION['privilage'])) { // User not logged in header('Location: ../../index.php'); exit(0); } $privilage = $_SESSION['privilage']; if ($privilage != basename(dirname(__FILE__))) { $rdir = '../../' . $privalage . '/index.php'; header('Location: ' . $rdir); exit(0); } By the way, put your code in code tags when you post, it makes it easier to read. Disclaimer: This code is untested and offered as an example. Quote Link to comment Share on other sites More sharing options...
paddyhaig Posted May 19, 2010 Author Share Posted May 19, 2010 Mmmm. what do you mean <at the top of each page>? At the very top? You mean line 1. above the <html><head> Also, how could I change the names of the folders? I am happy to do this if it makes things easier. Also I tried to put my code in tag's and it didn't seem to work. How do you do this exactly? Sorry for my ignorance I am pretty new to this. I just figured out in the last couple of day's how to use css div tags for placement. Thanks in advance for any help offered. Quote Link to comment Share on other sites More sharing options...
paddyhaig Posted May 19, 2010 Author Share Posted May 19, 2010 I tried both pieces of code just about everywhere, above the <html> above the <head> above the <body> in the <head> in the <body> always the same thing: Parse error: parse error, expecting `'('' in .... Path to do web doc Quote Link to comment Share on other sites More sharing options...
DavidAM Posted May 19, 2010 Share Posted May 19, 2010 Oops, there is an extra parenthesis in the first if statement. // This Line if (! isset$_SESSION['privilage'])) { // User not logged in // Should actually be if (! isset$_SESSION['privilage']) { // User not logged in There may be other syntax errors, I just typed that in the post to give you an idea of how it could work. The session_start() function has to called before ANY output to the browser, so yes it has to go before the <HTML><HEAD> code. Are these other pages PHP or just plain HTML? If they are HTML, you're going to be adding PHP into them, so they will probably have to be renamed from page_name.html to page_name.php Renaming the folders on the server will depend on how you access it. If it is a Linux server and you have command line access, the command is mv oldname newname. If it is a hosted server, you probably access through a control panel which should have a command somewhere to manipulate files and folders. You will also need to review your code, and make sure you change any references between pages: for instance <A href="../../receptionists/phonelist.php">View Phone List</A> in the manager's section may have to change. It might be easier to change your privilege names to match your existing folder names. As for the code tags; when you are posting a message, there are a series for formatting buttons above the edit box. One of them has a hash-mark (#) on it and next to it is one with PHP on it. The # button inserts code tags {code}{/code} (but with square brackets [] not curly) The PHP button inserts php tags {php}{/php} (but with square brackets [] not curly) everything between the open and closing tag is rendered as code, looks pretty and is much easier to read. Quote Link to comment Share on other sites More sharing options...
paddyhaig Posted May 19, 2010 Author Share Posted May 19, 2010 Thank you for you help however I changed // This Line if (! isset$_SESSION['privilage'])) { // User not logged in // Should actually be if (! isset$_SESSION['privilage']) { // User not logged in and still seem to get an error PHP Parse error: parse error, expecting `'('' in The document is a php document 'index.php' And I tried wrapping the code in php tags and without php tags as an experiment <?php session_start(); if (! isset$_SESSION['privilage']) { // User not logged in header('Location: ../index.php'); exit(0); } $privilage = $_SESSION['privilage']; if ($privilage != 'receptionist') { // or what ever directory this page is in if ('receptionist' === $privilage) { header('Location: ../receptionists/index.php'); exit(0); } if ('manager' === $privilage) { header('Location: ../managers/index.php'); exit(0); } if ('administrator' === $privilage) { header('Location: ../admin/index.php'); exit(0); } } ?> Quote Link to comment Share on other sites More sharing options...
DavidAM Posted May 19, 2010 Share Posted May 19, 2010 Ok, I'm an idiot ... well, maybe not an idiot, but that parenthesis we took out, should have been there, we were just missing the openning paren on the isset() function. // This line if (! isset$_SESSION['privilage']) { // User not logged in //Should be if (! isset($_SESSION['privilage'])) { // User not logged in by the way, for future reference, post the full error message; or at least the line number from the end of the message, and maybe the filename (near the end). If we are looking at a long piece of code, the line number helps us figure out where to start looking for the problem. Oh, and yeah, this is php code, so it will have to be in php tags ( <?php ... ?>) Quote Link to comment Share on other sites More sharing options...
.Stealth Posted May 19, 2010 Share Posted May 19, 2010 Why so many ===? You only use 2 to check it matches. Quote Link to comment Share on other sites More sharing options...
paddyhaig Posted May 19, 2010 Author Share Posted May 19, 2010 It's kinda working, the URL of the page I want to go to is coming up in the address bar. But the page is not coming up. (The same page I am trying to get to via the authentication dialog I have embedded the included php code into the head of) This is all getting rather convoluted. Is the an easy way to embed a little code in each page that I want a registered user to be able to visit. Those who did not log in with the correct credentials cannot see these pages. I am trying to create a hierarchical login/authentication system that uses mySQL on the backend for user/password approval. Certain users with certain privileges can only see certain documents. The system I had, did work at some point many years ago, however it is now broken. <?php session_start(); if (! isset($_SESSION['privilage'])) { // User not logged in header('Location: ../index.php'); exit(0); } $privilage = $_SESSION['privilage']; if ($privilage != 'receptionist') { // or what ever directory this page is in if ('receptionist' === $privilage) { header('Location: ../receptionists/index.php'); exit(0); } if ('manager' === $privilage) { header('Location: ../managers/index.php'); exit(0); } if ('administrator' === $privilage) { header('Location: ../admin/index.php'); exit(0); } } ?> Quote Link to comment Share on other sites More sharing options...
DavidAM Posted May 19, 2010 Share Posted May 19, 2010 A blank page usually indicates that the HTML is screwed up or not being output. Post the code of the page that is producing this problem, all of it (at least through the first few lines after the BODY tag). Also, when you get this blank page in your browser, use the "View Source" feature of the browser to see what HTML is actually being sent. That might point you to the problem. Quote Link to comment Share on other sites More sharing options...
paddyhaig Posted May 19, 2010 Author Share Posted May 19, 2010 Here's a copy of my present authentication form: index.php <html> <head> <meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <title>Login</title> <link href="includes/primary_layout.css" rel="stylesheet" type="text/css" /> <!--[if IE]><style type="text/css">body { text-align: center; } #small-blue-box { text-align: left; }</style><![endif]--> <link href="../includes/primary_layout.css" rel="stylesheet" type="text/css" /> </head> <body onLoad="document.getElementById('account').focus()"> <div id="text"> <div id="wrapper"> <div id="small-blue-box"> <div id="form0"> <form action="scripts/authenticate/auth.php" method="POST"> <!-- This is the beggining of the authentication addition --> <!-- This is the end of the authentication addition --> <div> <div align="center"><img src="graphics/general/concierge_banner.gif" width="180" height="28">Account: <input name="account" type="text" id="account" value="info@example.com" size="20"> </div> </div> <div> <div align="center">Username: <input name="username" type="text" id="username" size="20"> </div> </div> <div> <label for="password"> <div align="center">Password: <input name="password" type="password" id="password" size="20"> </div> </div> <p align="center"> <input type="image" src="graphics/general/login_button.jpg" onClick="document.submit();> <p> <img src="graphics/general/login_button.jpg" width="150" height="28" alt="login"></p></form> </div> </div> <?php include("includes/footer.inc"); ?> </div> </body> </html> Here's a copy of the auth.php script: Which is called by the above. <?php if (isset($_POST['username']) && isset($_POST['password'])) { $db = mysql_connect('localhost', 'example', 'example') or die("Couldn't connect to the database<br>" . mysql_error()); mysql_select_db('example', $db) or die("Couldn't select<br>" . mysql_error()); $login = mysql_real_escape_string($_POST['username'], $db); $password = mysql_real_escape_string($_POST['password'], $db); $query = "SELECT privilage FROM auth WHERE login = '$login' AND password = '$password'"; $result = mysql_query($query, $db) or die("Problem with the query: $query<br>" . mysql_error()); if (0 === mysql_num_rows($result)) { header('Location: ../../index.php'); exit(0); } $row = mysql_fetch_assoc($result); $privilage = $row['privilage']; session_start(); $_SESSION['username'] = $login; $_SESSION['privilage'] = $privilage; if ('receptionist' === $privilage) { header('Location: ../../receptionists/index.php'); exit(0); } if ('manager' === $privilage) { header('Location: ../../managers/index.php'); exit(0); } if ('administrator' === $privilage) { header('Location: ../../admin/index.php'); exit(0); } } ?> It seems that now I am getting an error in my browser saying: The page isn't redirecting properly Firefox has detected that the server is redirecting the request for this address in a way that will never complete. * This problem can sometimes be caused by disabling or refusing to accept cookies. This is my present cookie information: * about:neterror?e=redirectLoop&u=http%3A//localhost/concierge/admin/index.php&c=UTF-8&d=Firefox%20has%20detected%20that%20the%20server%20is%20redirecting%20the%20request%20for%20this%20address%20in%20a%20way%20that%20will%20never%20complete. 1 cookie Name PHPSESSID Value p2r4il0jeadghdoa7h4hb7uku5 Host www.example.com Path / Secure No Expires At End Of Session Yes it looks like it is looping. I have tried everything I can regarding making changes to the path's to no avail. Here is also a pic of my mySQL db schema. See attached: schema.jpg [attachment deleted by admin] Quote Link to comment Share on other sites More sharing options...
DavidAM Posted May 20, 2010 Share Posted May 20, 2010 You are getting that loop when you login? Show the code for the index.php from the directory (privilege) that you a trying to log in to. Quote Link to comment Share on other sites More sharing options...
paddyhaig Posted May 21, 2010 Author Share Posted May 21, 2010 This is the code of just one of the pages that you should log into after the correct authentication details are entered into the initial login form. This is the index.php from the admin folder. The are three other folders that can be logged into depending on the details entered into the initial authentication form. // I believe the should be added something here. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Concierge Admin Index</title> <link href="../includes/primary_layout.css" rel="stylesheet" type="text/css" /> </head> <body> <div id="wrapper"> <div id="large-blue-box"> <div id="form1"> <!-- <?php include("../includes/footer.inc"); ?> I would like to make all the below code an include --> <p><img src="../graphics/general/ai_banner.gif" alt="" width="180" height="28" /></p> <p><a href="concierge-setup.php"><img src="../graphics/general/concierge-setup_button.gif" width="180" height="28" /></a></p> <p><a href="accommodation.php"><img src="../graphics/general/accomodate_button.gif" width="180" height="28" /></a></p> <p><a href="general-log.php"><img src="../graphics/general/gen-log_button.gif" width="180" height="28" /></a></p> <p><a href="../index.php"><img src="../graphics/general/lo_button.gif" alt="" width="180" height="28" /></a></p> </div> <div id="form2"> <p><img src="../graphics/general/man_index_banner.gif" width="180" height="28" /></p> <p><a href="staff_management.php"><img src="../graphics/general/sm_button.gif" width="180" height="28" /></a></p> <p><a href="bed_management.php"><img src="../graphics/general/bm_button.gif" width="180" height="28" /></a></p> <p><a href="audit_system.php"><img src="../graphics/general/as_button.gif" width="180" height="28" /></a></p> <p><a href="shift_summary.php"><img src="../graphics/general/shift-summary_button.gif" width="180" height="28" /></a></p> </div> <div id="form3"> <p><img src="../graphics/general/recep_banner.gif" width="180" height="28" /></p> <p><a href="check-in-out_index.php"><img src="../graphics/general/check-inout_button.gif" width="180" height="28" /></a></p> <p><a href="delinquent_payments.php"><img src="../graphics/general/delinquent-payments_button.gif" width="180" height="28" /></a></p> <p><a href="reservations.php"><img src="../graphics/general/reservations_button.gif" width="180" height="28" /></a></p> <p><a href="misc_index.php"><img src="../graphics/general/miscellaneous_button.gif" width="180" height="28" /></a></p> </div> </div> <?php include("../includes/footer.inc"); ?> </div> </body> </html> Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.