PHP Access Level Control ( Permissions) Help

[mumba]

Hi everyone, am developing an application that has two views 1 for administrator and 1 for staff. Administrator can perform all application tasks and Staff can ONLY perform certain task. I have implemented sessions quite alright and are working. Now the problem is that when I login as Staff and then I change the URL to point to an administrator's page the application is allowing that, How can I prevent that from happening. Staff MUST NOT see administrators pages. Here is my login code, logout code and code am using to protect webpages below.

 

Here is my login code

 

<?php

 

//start the session

session_start();

 

$username=$_POST['username'];

$password=$_POST['password'];

 

$encrypted=md5($password);

 

// set connection to database

 

$hostname="localhost"; // Host name

$mysql_server_username="root"; // Mysql username

$server_password=""; // Mysql password

$db_name="db_inventory"; // Database name

$table = "tbl_users";      // Table name

 

// Connect to server and select database.

mysql_connect("$hostname", "$mysql_server_username", "$server_password")or die("cannot connect to database server");

mysql_select_db("$db_name") or die ("Couldn't select the database.");

 

$admin=("select * from $table where username='$username' AND password='$encrypted' AND type = 'admin'");

$staff=("select * from $table where username='$username' AND password='$encrypted' AND type = 'staff'");

 

//check that at least one row was returned

$adminresult=mysql_query($admin);

$admincount = mysql_num_rows($adminresult);

 

$staffresult=mysql_query($staff);

$staffcount = mysql_num_rows($staffresult);

 

if($admincount> 0){

$_SESSION['valid_user'] = $username ;

header( "Location: main_menu.php" );

}

else if($staffcount> 0){

$_SESSION['valid_user'] = $username ;

header( "Location: staff/main_menu.php" );

}

else

{

 

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<title>title> | Login</title>

</head>

 

<body bgcolor="#FFFFFF"  background-repeat:no-repeat; background="images/images1.jpg">

<div align="center">

  <table width="800" height="501" border="0" cellpadding="1" cellspacing="1">

    <tr>

      <td height="100"> </td>

    </tr>

    <tr>

      <td height="350">

      <div align="center">

      <form method="post" action="login_process.php">

        <h4 align="center"><font color="red">Incorrect Username / Password ! Please Try Again</font></h4>

          <img name="" src=images/padlock_closed.gif width="34" height="32" alt="" /><br /><br />

          <table width="314" border="0" cellspacing="1" cellpadding="1">

            <tr>

              <td>Username:</td>

              <td><label>

                <input type="text" name="username"  />

              </label></td>

            </tr>

            <tr>

              <td>Password:</td>

              <td><label>

                <input type="password" name="password" />

              </label></td>

            </tr>

            <tr>

              <td colspan="2">

              <p>               

                  <input type="submit" name ="submit" value="Login" />     <input type="reset" value="Reset" />               

              </p>

              </td>

            </tr>

          </table>     

      </form>

      </div>

      </td>

    </tr>

    <tr>

      <td height="100"> </td>

    </tr>

  </table>

</div>

</body>

</html>

 

<?php

 

}

?>

 

 

Here is my logout code

 

 

<?php

//start the session

session_start();

 

//check to make sure the session variable is registered

if(isset($_SESSION['valid_user'])){

 

//session variable is registered, the user is ready to logout

session_unset();

session_destroy();

 

//the session variable isn't registered, the user shouldn't even be on this page

header( "Location: index.php" );

}

else

{

//check to see if the session variable is not registered

if(!isset($_SESSION['valid_user'])){

//redirect to login page

header( "Location: index.php" );

}

}

?>

 

 

 

Here is code I am using to protect pages

 

 

<?php

//start the session

session_start();

//check to make sure the session variable is registered

 

if(!isset($_SESSION['valid_user'])){

//redirect to login page

header( "Location: index.php" );

}

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<title> | Main Menu</title>

<link rel="stylesheet" type="text/css" href="css.css" />

</head>

 

<body>

 

<div id="tabsF">

<ul>

<!-- CSS Tabs -->

<li id="current"><a href="main_menu.php"><span>MAIN MENU</span></a></li>

<li><a href="stockmaster.php"><span>STOCK MASTER</span></a></li>

<li><a href="controlpanel.php"><span>CONTROL PANEL</span></a></li>

<li><a href="logout.php"><span>LOGOUT</span></a></li>

 

</ul>

</div>

</body>

</html>

 

 

Thank you.

 

 

[schilly]

a lot of things you could do here.

 

i would add another session var like user_type or something and either set it to 0 (staff) or 1 (admin) depending on the user login. then check that as well as valid_user for your authentication. use user_type >= access_level (0 or 1). this way admin can access staff area as well.

 

 

[Pikachu2000]

Please don't post a wall of code without enclosing it in

 . . . 

tags.

[PFMaBiSmAd]

Here is code I am using to protect pages...

 

You need an exit; statement after the header() redirect to prevent the remainder of the code on the page from being processed. All any one would need to do is ignore the redirect and he has access to the 'protected' page.

[Anti-Moronic]

Also, no need to do 2 sql queries for the $staff and $admin. Simply fetch user based on login details and check the user type after that.