Superman702 Posted August 9, 2011 Share Posted August 9, 2011 MySQL: 2.11.4 I currently have a database set up with a table called "users". I have three columns "ID" "username" and "password" I want to add a column to the database called "Admin" I want this column to be an INT with only one number in it. 1 (obviously for true) and 0 (for obviously false). I would use this column to establish if a user is just a member or an admin so the Admin can see certain areas that normal users can not see if this field is "1". The problem is, I didn't think this through when I first started working on my script. It might be because I'm tired as *$#&, but I don't know where to go with it now. login.php <?php mysql_connect("*****", "*****", "*****") or die(mysql_error()); mysql_select_db("a7405553_test") or die(mysql_error()); //Checks if there is a login cookie if(isset($_COOKIE['ID_my_site'])) { $username = $_COOKIE['ID_my_site']; $pass = $_COOKIE['Key_my_site']; $check = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error()); while($info = mysql_fetch_array( $check )) { if ($pass != $info['password']) { } else { header("Location: members.php"); } } } if (isset($_POST['submit'])) { if(!$_POST['username'] | !$_POST['pass']) { die('You did not fill in a required field.'); } // checks it against the database if (!get_magic_quotes_gpc()) { $_POST['email'] = addslashes($_POST['email']); } $check = mysql_query("SELECT * FROM users WHERE username = '".$_POST['username']."'")or die(mysql_error()); $check2 = mysql_num_rows($check); if ($check2 == 0) { die('That user does not exist in our database. <a href=add.php>Click Here to Register</a>'); } while($info = mysql_fetch_array( $check )) { $_POST['pass'] = stripslashes($_POST['pass']); $info['password'] = stripslashes($info['password']); $_POST['pass'] = md5($_POST['pass']); if ($_POST['pass'] != $info['password']) { die('Incorrect password, please try again.'); } else { $_POST['username'] = stripslashes($_POST['username']); $hour = time() + 3600; setcookie(ID_my_site, $_POST['username'], $hour); setcookie(Key_my_site, $_POST['pass'], $hour); header("Location: members.php"); } } } else { ?> <form action="<?php echo $_SERVER['PHP_SELF']?>" method="post"> <table border="0"> <tr><td colspan=2><h1>Login</h1></td></tr> <tr><td>Username:</td><td> <input type="text" name="username" maxlength="40"> </td></tr> <tr><td>Password:</td><td> <input type="password" name="pass" maxlength="50"> </td></tr> <tr><td colspan="2" align="right"> <input type="submit" name="submit" value="Login"> </td></tr> </table> </form> <?php } ?> members.php <?php mysql_connect("****", "*****", "*****") or die(mysql_error()); mysql_select_db("a7405553_test") or die(mysql_error()); if(isset($_COOKIE['ID_my_site'])) { $username = $_COOKIE['ID_my_site']; $pass = $_COOKIE['Key_my_site']; $check = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error()); while($info = mysql_fetch_array( $check )) { if ($pass != $info['password']) { header("Location: login.php"); } { echo "Admin Area<p>"; echo "Member Content<p>"; echo "<a href=logout.php>Logout</a>"; } } } else { header("Location: login.php"); } ?> Any idea how to make the Admin Area show up for only user names with a "1" in the "admin" part of the row in MySQL? Quote Link to comment Share on other sites More sharing options...
WebStyles Posted August 9, 2011 Share Posted August 9, 2011 just grab the variable from the database, the same way you grab the other info and check it before redirecting: (I would store it in a session variable to use later.) if($info['Admin'] == 1){ // redirect to admin page }else{ // redirect somewhere else } Quote Link to comment Share on other sites More sharing options...
the182guy Posted August 9, 2011 Share Posted August 9, 2011 There are a few issues with your code: See SQL Injection See why isset post is bad PHP_SELF has an XSS vulnerability when used in that way Quote Link to comment Share on other sites More sharing options...
Superman702 Posted August 9, 2011 Author Share Posted August 9, 2011 So should I have the form submit to a 2nd page that verifies the information instead of using PHP_SELF? Quote Link to comment Share on other sites More sharing options...
TeNDoLLA Posted August 9, 2011 Share Posted August 9, 2011 There are a few issues with your code: See why isset post is bad I don't see any problem using isset($_POST['variable']) as long as you don't check it against the value in the submit button. Because if the form ever was submitted and you got some vars in it, they will exists no matter what (except the value in submit button, in case of IE and enter pressing). Quote Link to comment Share on other sites More sharing options...
TeNDoLLA Posted August 9, 2011 Share Posted August 9, 2011 So should I have the form submit to a 2nd page that verifies the information instead of using PHP_SELF? You could use this instead PHP_SELF (there are also other methods like using pathinfo() http://php.net/manual/en/function.pathinfo.php ) basename($_SERVER['SCRIPT_NAME']); Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.