The_Dude_1978 Posted August 3, 2011 Share Posted August 3, 2011 Hi There, I've did everything I could to try and solve it myself. It's been 3 nights now and i'm about to give up, but luckaly you guy's are around. My question is, how do I restrict access to my admin page? The logon page has the following code: <?php session_start(); include "db_connect.php"; //if(!$_POST['submit']) if (!isset($_POST['submit'])) { ?> <html> <head> <!--[if IE]> <style type="text/css"> #contact p { padding-top: 10px; </style> <link rel="stylesheet" type="text/css" href="style.css" /> <![endif]--> <![if !IE]> <link rel="stylesheet" type="text/css" href="firefox.css" /> <![endif]> </head> <body> <div id="vertical"> <div id="wrapper"> <div id="header"> <?php include('../header_sub.php'); ?> </div> <div class="divider"> <strong>Login</strong> <form method="POST" action="index.php" > <div class="formElm"> <label for="username">Klantnummer:</label> <input id="username" type="text" name="username" maxlength="16"> </div> <div class="formElm"> <label for="password">Wachtwoord:</label> <input type="password" name="password" maxlength="16"> </div> <input type="submit" name="submit" value="Login"> </form> </div> <div id="footer"> <?php include('../footer_sub.php'); ?> </div> </div> </div> </body> </html> <?php } else { $user = protect($_POST['username']); $pass = protect($_POST['password']); if($user && $pass) { $pass = md5($pass); //compare the encrypted password $sql1 ="SELECT id,username FROM `users` WHERE `username`='$user' AND `password`='$pass' AND `level`='1'"; $sql2 ="SELECT id,username FROM `users` WHERE `username`='$user' AND `password`='$pass' AND `level`='9'"; $queryN=mysql_query($sql1) or die(mysql_error()); $queryA=mysql_query($sql2) or die(mysql_error()); if(mysql_num_rows($queryN) == 1) { $resultN = mysql_fetch_assoc($queryN); $_SESSION['id'] = $resultN['id']; $_SESSION['username'] = $resultN['username']; header("location:home.php"); } elseif(mysql_num_rows($queryA) == 1) { $resultA = mysql_fetch_assoc($queryA); $_SESSION['id'] = $resultA['id']; $_SESSION['username'] = $resultA['username']; header("location:administrator.php"); } else{ echo "Wrong Username or Password"; } } } ?> And my sql is as follows: CREATE TABLE `users` ( `id` int(4) unsigned NOT NULL auto_increment, `username` varchar(32) NOT NULL, `password` varchar(32) NOT NULL, `level` int(4) default '1', PRIMARY KEY (`id`) ) ENGINE=InnoDB AUTO_INCREMENT=27 DEFAULT CHARSET=latin1 The admin level is 9 Now the page I want to trie and restrict for anonymous users and level 1 users is: <?php session_start(); ob_start (); include "db_connect.php"; ?> <html> <head> <!--[if IE]> <style type="text/css"> #contact p { padding-top: 10px; </style> <link rel="stylesheet" type="text/css" href="style.css" /> <![endif]--> <![if !IE]> <link rel="stylesheet" type="text/css" href="firefox.css" /> <![endif]> <title><?php echo $_SESSION['username']; ?>'s Homepage</title> </head> <body> <h1>Customer Management Service</h1> <div id="vertical"> <div id="wrapper"> <div id="header"> <?php include('../header.php'); ?> </div> <a href='index.php'>Index</a> | <a href='administrator.php?add'>Add user</a> | <a href='administrator.php?viewUsers'>View users</a> (including edit and delete users) <p><strong>You are managing users from the account: <?php echo $_SESSION['username'];?></strong><br /><a href='administrator.php?logout'>Log out</a></p> <div id="footer_users"> <?php include('../footer.php'); ?> </div> <?php if (isset($_GET['logout'])) { unset($_SESSION['id']); unset($_SESSION['id']); session_destroy();#Will remove all sessions. header("location:index.php");#This code will send u back to the index page } ?> Please help me out with this one. Kind regards, Martijn Quote Link to comment https://forums.phpfreaks.com/topic/243738-restrict-access-to-admin-page/ Share on other sites More sharing options...
requinix Posted August 3, 2011 Share Posted August 3, 2011 if (user level >= 2) { show page } else { show access denied message } What part are you having a hard time with? Quote Link to comment https://forums.phpfreaks.com/topic/243738-restrict-access-to-admin-page/#findComment-1251455 Share on other sites More sharing options...
The_Dude_1978 Posted August 4, 2011 Author Share Posted August 4, 2011 Hi, That is the code i've tried to put together over and over, but it has no effect. All of the page is just shown. I want it to end further display of the page and the else I also tried to put it at the bottom of the page before closing the ?> php tag. What I've done in various way's is code simular like this, But when I echo it, the user is alway's admin. It does'nt seem to check the level variable of the current logged in user. Believe me, i've tried allot, but I just don't get it with my level of experience. <?php $query = "SELECT * from `users`"; $rs = mysql_query($query); $row = mysql_fetch_assoc($rs) ?> <?php if ($row['level']==1) { echo "user"; } elseif ($row['level']==9) { echo "admin"; } ?> Quote Link to comment https://forums.phpfreaks.com/topic/243738-restrict-access-to-admin-page/#findComment-1252031 Share on other sites More sharing options...
cunoodle2 Posted August 4, 2011 Share Posted August 4, 2011 The issue is with your SELECT statement. $query = "SELECT * from `users`"; That is incorrect for 2 reasons... #1.. NEVER EVER do "Select *" Its generally sloppy and you should specify colums names. IE "Select `first`, `last`, `level` FROM `users`... #2. You NEED to add a "WHERE clause to the end. Right now you are just selecting ALL columns and ALL users. You have no idea WHICH user's "level" you are looking at. Try instead to do something like.. Select `first`, `last`, `level` FROM `users`WHERE `id` = $var; Note that my code will NOT work on your site. It depends on what the name of your primary key field is or whatever method you are using to search. Quote Link to comment https://forums.phpfreaks.com/topic/243738-restrict-access-to-admin-page/#findComment-1252042 Share on other sites More sharing options...
The_Dude_1978 Posted August 4, 2011 Author Share Posted August 4, 2011 YEAH cunoodle2 After altering the code to my needs, THANK YOU THANK YOU THANK YOU !!! I'm so glad you took the time to show me a lesson! Here's what i've did: [code<?php session_start(); ob_start (); include "db_connect.php"; ?> <form name="logout" method="post" action="logout.php"> <input type="submit" name="logout" id="logout" value="Logout"> </form> <?php $query = "Select `id`, `level` FROM `users` WHERE `id`='".$_SESSION['id']."'"; $rs = mysql_query($query); $row = mysql_fetch_assoc($rs) ?> <?php if ($row['level']==9) { ?> <html> <head> </head> <body> <h1>Admin page</h1> </body> </html> <?php } elseif ($row['level']==1) { ?> <html> <head> </head> <body> <h1>Users page</h1> </body> </html> <?php } else if(!$results) { ?> <html> <head> </head> <body> <h1>You're not authorized to get to this page</h1> </body> </html> <?php } ob_end_flush (); ?> Quote Link to comment https://forums.phpfreaks.com/topic/243738-restrict-access-to-admin-page/#findComment-1252067 Share on other sites More sharing options...
voip03 Posted August 4, 2011 Share Posted August 4, 2011 is it good practices to have admin table Quote Link to comment https://forums.phpfreaks.com/topic/243738-restrict-access-to-admin-page/#findComment-1252079 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.