paddyhaig Posted May 31, 2010 Share Posted May 31, 2010 Here is my pertinent authentication page information: <form action="scripts/authenticate/auth.php" method="POST"> Account: <input name="account" type="text" id="account" value="inter-nation-house" Username: <input name="username" type="text" id="username" size="20"> Password: <input name="password" type="password" id="password" size="20"> <input type="image" src="graphics/general/login_button.jpg" onClick="document.submit();> Here is the authentication script used by above: <?php if (isset($_POST['username']) && isset($_POST['password'])) { $db = mysql_connect('localhost', 'example', 'example') or die("Couldn't connect to the database<br>" . mysql_error()); mysql_select_db('example', $db) or die("Couldn't select<br>" . mysql_error()); $login = mysql_real_escape_string($_POST['username'], $db); $password = mysql_real_escape_string($_POST['password'], $db); $query = "SELECT privilege FROM auth WHERE login = '$login' AND password = '$password'"; $result = mysql_query($query, $db) or die("Problem with the query: $query<br>" . mysql_error()); if (0 == mysql_num_rows($result)) { header('Location: ../../index.php'); exit(0); } $row = mysql_fetch_assoc($result); $privilege = $row['privilege']; session_start(); $_SESSION['username'] = $login; $_SESSION['privilege'] = $privilege; if ('receptionist' === $privilege) { header('Location: ../../receptionists/index.php'); exit(0); } if ('manager' === $privilege) { header('Location: ../../managers/index.php'); exit(0); } if ('administrator' === $privilege) { header('Location: ../../admin/index.php'); exit(0); } } ?> Here is what I am including above the head of all the pages I wish to secure: It was working fine until I added this to the beginning of each page. <?php session_start(); if (! isset($_SESSION['privilege'])) { // privilege? // redirect to your login page header("Location: ../index.php"); exit; } else { // check to make sure the privilege is correct for this page // modify as needed if ($_SESSION['privilege'] != 'privilege') { die('You do not have the privilege to access this page.'); } } ?> Here is my cookie information: Name PHPSESSID Value 0i14qiuf33cma8oucoohb52mh5 Host localhost Path / Secure No Expires At End Of Session Please see attached db schema if needed. Here is the error I am still getting: (It simply just wont let me in) You do not have the privilege to access this page. Despite the fact that I am entering the correct information. [attachment deleted by admin] Link to comment https://forums.phpfreaks.com/topic/203406-starting-authentication-issue-from-scratch/ Share on other sites More sharing options...
riwan Posted May 31, 2010 Share Posted May 31, 2010 This code here cause the error if ($_SESSION['privilege'] != 'privilege') { die('You do not have the privilege to access this page.'); } You're trying to compare the value of $_SESSION['privilege'] (receptionist, manager, administrator) with the string 'privilege'. The condition will always be true as the value is not the same as the string 'privilege' Link to comment https://forums.phpfreaks.com/topic/203406-starting-authentication-issue-from-scratch/#findComment-1065569 Share on other sites More sharing options...
paddyhaig Posted May 31, 2010 Author Share Posted May 31, 2010 Would you know how I might fix this? This was suggested to me bye another phpfreaks user? Link to comment https://forums.phpfreaks.com/topic/203406-starting-authentication-issue-from-scratch/#findComment-1065577 Share on other sites More sharing options...
riwan Posted May 31, 2010 Share Posted May 31, 2010 try sth like this if ( in_array($_SESSION['privilege'],array("receptionist", "manager", "administrator"))==0) { die('You do not have the privilege to access this page.'); } Link to comment https://forums.phpfreaks.com/topic/203406-starting-authentication-issue-from-scratch/#findComment-1065582 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.