paddyhaig Posted May 19, 2010 Share Posted May 19, 2010 What I have, and what I am trying to achieve. I have a web app that I created and seemed to work about 7 years ago. However I rebuilt the app using css, as it had been using html tables prior. And now it seems that I have some kind of problem locking an authenticated user into his own account. If you manually alter the URL you can now get into the other account folders. (This I obviously don't want) I have a regular 'index.php' form. Here is the relevant code in that form. form action="scripts/authenticate/auth.php" method="POST"> Account: <input name="account" type="text" id="account" value="info@example.com" Username: <input name="username" type="text" id="username" size="20"> Password: <input name="password" type="password" id="password" size="20"> Here is the auth.php script <?php if (isset($_POST['username']) && isset($_POST['password'])) { $db = mysql_connect('localhost', 'example', 'example') or die("Couldn't connect to the database<br>" . mysql_error()); mysql_select_db('example', $db) or die("Couldn't select<br>" . mysql_error()); $login = mysql_real_escape_string($_POST['username'], $db); $password = mysql_real_escape_string($_POST['password'], $db); $query = "SELECT privilage FROM auth WHERE login = '$login' AND password = '$password'"; $result = mysql_query($query, $db) or die("Problem with the query: $query<br>" . mysql_error()); if (0 === mysql_num_rows($result)) { header('Location: ../../index.php'); exit(0); } $row = mysql_fetch_assoc($result); $privilage = $row['privilage']; session_start(); $_SESSION['username'] = $login; $_SESSION['privilage'] = $privilage; if ('receptionist' === $privilage) { header('Location: ../../receptionists/index.php'); exit(0); } if ('manager' === $privilage) { header('Location: ../../managers/index.php'); exit(0); } if ('administrator' === $privilage) { header('Location: ../../admin/index.php'); exit(0); } } ?> This seems to create a cookie in my browser, here are the cookie details. Name PHPSESSID Value p2r4il0jeadghdoa7h4hb7uku5 Host www.example.com Path / Secure No Expires At End Of Session The really is nothing else in the pages, I do believe I should have something starting with: session_start(); at the top of every page, so's to check the cookie? I have also included a graphic of my mySQL db schema. Please see atached. schema.jpg The have been a number of suggestions that I have tried that do not seem to work. Please anyone with a good knowledge of this area please help me. I am almost at my wits end. Thank you. Also if your going to reply please keep it easy as this is just a part time hobby to me. [attachment deleted by admin] Quote Link to comment Share on other sites More sharing options...
andrewgauger Posted May 21, 2010 Share Posted May 21, 2010 It might be a problem with the header redirect. You probably want to use ob_start() http://php.net/manual/en/function.ob-start.php The way to test for this is instead of changing the location of the page put a simple echo for each of the roles, and verify that the authentication is successful. It looks OK to me. Quote Link to comment Share on other sites More sharing options...
paddyhaig Posted May 21, 2010 Author Share Posted May 21, 2010 Thank you andrewgauger, all though I am not altogether sure what you are saying, that's probably more my fault than yours. Are you saying that I should put ob_start() at the top of every page? Just ob_start()? You must excuse me as I really am new to this. Quote Link to comment Share on other sites More sharing options...
andrewgauger Posted May 21, 2010 Share Posted May 21, 2010 Yeah at the top, and then put an ob_end_flush between your header() and exit() funcitons Quote Link to comment Share on other sites More sharing options...
paddyhaig Posted May 21, 2010 Author Share Posted May 21, 2010 Thank's andrewgauger! So at the very top of every page I should put an ob_start() e.g. <!-- This is the beggining of the authentication addition --> ob_start() <!-- This is the end of the authentication addition --> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Concierge Admin Index</title> <link href="../includes/primary_layout.css" rel="stylesheet" type="text/css" /> </head> <body> <div id="wrapper"> <div id="large-blue-box"> <div id="form1"> <!-- <?php include("../includes/footer.inc"); ?> I would like to make all the below code an include --> <p><img src="../graphics/general/ai_banner.gif" alt="" width="180" height="28" /></p> <p><a href="concierge-setup.php"><img src="../graphics/general/concierge-setup_button.gif" width="180" height="28" /></a></p> <p><a href="accommodation.php"><img src="../graphics/general/accomodate_button.gif" width="180" height="28" /></a></p> <p><a href="general-log.php"><img src="../graphics/general/gen-log_button.gif" width="180" height="28" /></a></p> <p><a href="../index.php"><img src="../graphics/general/lo_button.gif" alt="" width="180" height="28" /></a></p> </div> <div id="form2"> <p><img src="../graphics/general/man_index_banner.gif" width="180" height="28" /></p> <p><a href="staff_management.php"><img src="../graphics/general/sm_button.gif" width="180" height="28" /></a></p> <p><a href="bed_management.php"><img src="../graphics/general/bm_button.gif" width="180" height="28" /></a></p> <p><a href="audit_system.php"><img src="../graphics/general/as_button.gif" width="180" height="28" /></a></p> <p><a href="shift_summary.php"><img src="../graphics/general/shift-summary_button.gif" width="180" height="28" /></a></p> </div> <div id="form3"> <p><img src="../graphics/general/recep_banner.gif" width="180" height="28" /></p> <p><a href="check-in-out_index.php"><img src="../graphics/general/check-inout_button.gif" width="180" height="28" /></a></p> <p><a href="delinquent_payments.php"><img src="../graphics/general/delinquent-payments_button.gif" width="180" height="28" /></a></p> <p><a href="reservations.php"><img src="../graphics/general/reservations_button.gif" width="180" height="28" /></a></p> <p><a href="misc_index.php"><img src="../graphics/general/miscellaneous_button.gif" width="180" height="28" /></a></p> </div> </div> <?php include("../includes/footer.inc"); ?> </div> </body> </html> andrewgauger Yeah at the top, and then put an ob_end_flush between your header() and exit() funcitons I don't have a header and exit function. Please see above. Quote Link to comment Share on other sites More sharing options...
andrewgauger Posted May 23, 2010 Share Posted May 23, 2010 On auth.php where you direct the page depending on privilege. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.