paddyhaig Posted May 31, 2010 Share Posted May 31, 2010 Here is my pertinent authentication page information: <form action="scripts/authenticate/auth.php" method="POST"> Account: <input name="account" type="text" id="account" value="inter-nation-house" Username: <input name="username" type="text" id="username" size="20"> Password: <input name="password" type="password" id="password" size="20"> <input type="image" src="graphics/general/login_button.jpg" onClick="document.submit();> Here is the authentication script used by above: <?php if (isset($_POST['username']) && isset($_POST['password'])) { $db = mysql_connect('localhost', 'example', 'example') or die("Couldn't connect to the database<br>" . mysql_error()); mysql_select_db('example', $db) or die("Couldn't select<br>" . mysql_error()); $login = mysql_real_escape_string($_POST['username'], $db); $password = mysql_real_escape_string($_POST['password'], $db); $query = "SELECT privilege FROM auth WHERE login = '$login' AND password = '$password'"; $result = mysql_query($query, $db) or die("Problem with the query: $query<br>" . mysql_error()); if (0 == mysql_num_rows($result)) { header('Location: ../../index.php'); exit(0); } $row = mysql_fetch_assoc($result); $privilege = $row['privilege']; session_start(); $_SESSION['username'] = $login; $_SESSION['privilege'] = $privilege; if ('receptionist' === $privilege) { header('Location: ../../receptionists/index.php'); exit(0); } if ('manager' === $privilege) { header('Location: ../../managers/index.php'); exit(0); } if ('administrator' === $privilege) { header('Location: ../../admin/index.php'); exit(0); } } ?> Here is what I am including above the head of all the pages I wish to secure: It was working fine until I added this to the beginning of each page. <?php session_start(); if (! isset($_SESSION['privilege'])) { // privilege? // redirect to your login page header("Location: ../index.php"); exit; } else { // check to make sure the privilege is correct for this page // modify as needed if ($_SESSION['privilege'] != 'privilege') { die('You do not have the privilege to access this page.'); } } ?> Here is my cookie information: Name PHPSESSID Value 0i14qiuf33cma8oucoohb52mh5 Host localhost Path / Secure No Expires At End Of Session Please see attached db schema if needed. Here is the error I am still getting: (It simply just wont let me in) You do not have the privilege to access this page. Despite the fact that I am entering the correct information. [attachment deleted by admin] Quote Link to comment Share on other sites More sharing options...
riwan Posted May 31, 2010 Share Posted May 31, 2010 This code here cause the error if ($_SESSION['privilege'] != 'privilege') { die('You do not have the privilege to access this page.'); } You're trying to compare the value of $_SESSION['privilege'] (receptionist, manager, administrator) with the string 'privilege'. The condition will always be true as the value is not the same as the string 'privilege' Quote Link to comment Share on other sites More sharing options...
paddyhaig Posted May 31, 2010 Author Share Posted May 31, 2010 Would you know how I might fix this? This was suggested to me bye another phpfreaks user? Quote Link to comment Share on other sites More sharing options...
riwan Posted May 31, 2010 Share Posted May 31, 2010 try sth like this if ( in_array($_SESSION['privilege'],array("receptionist", "manager", "administrator"))==0) { die('You do not have the privilege to access this page.'); } Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.