Am Loosing My Mind

[utevwe]

I have something like this

<?php
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="xxxx"; // Database name
$tbl_name="xxxxxx"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form
$username=$_POST['username'];
$password=$_POST['password'];

// To protect MySQL injection (more detail about MySQL injection)
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

$res = mysql_query("SELECT * FROM members WHERE username = '$username' LIMIT 1");
if(mysql_num_rows($res)>0)
{
$d = mysql_fetch_array($res);    
if($password == $d['password'])
{
session_regenerate_id(); //security for changing permissions
session_register['id'] = $d['id'];
session_register['access_level'] = $d['access_level'];
switch($d['access_level'])
{
case 1:
$loc = "home.php";
break;
case 2:
$loc = "paramedic.php";
break;
case 3:
$loc = "doctor.php";
break;
case 4:
$loc = "medprac.php";
break;
case 5:
$loc = "wardboss.php";
break;
case 6:
$loc = "consultant.php";
break;
}
header("Location: $loc");
}
}
?>

 

and this is verry correct I suppose.

But I am having problem locking the pages. I want doctors and admin to have access to all pages while other to their pages only

Edited October 8, 2012 by ManiacDan

[xyph]

session_register is long depricated. On top of that, you're using in incorrectly. Please, check out the manual on how to assign and use session variables.

 

http://php.net/manual/en/session.examples.basic.php

Edited October 8, 2012 by xyph

[Jessica]

Use code tags please.

 

The code you have sends the user to a specific page based on their access level. What you'll want to do is (assuming this is a base/header type file) have a list of what pages are global OR a list of what are "special", then if on the "special" page (or not a global page), check if the user's access is one of the allowed types, and if not redirect them home.

[kicken]

session_register['id'] = $d['id'];

session_register['access_level'] = $d['access_level'];

Those lines are wrong. session_register is a function, not an array. The recommended way to store a session variable is by setting it in $_SESSION though, there is no need for session_register at all.

$_SESSION['id'] = $d['id'];
$_SESSION['access_level'] = $d['access_level'];

 

 

[ManiacDan]

Whatever tutorial you're using, stop using it. It's using ancient and deprecated PHP functionality and does strings wrong.

 

You'll have to define what you mean by "locking." Once they log in, they're taken to separate pages. You want THOSE pages to be secured, unrelated to the code you posted?

 

If that's the case, you'll have to go to those pages (or work in a common includes directory), and see if the page they're on is one that they have access to. You can store their access levels in the session since you set them there, but I don't know where your page-to-access-level map is. If there's a database table for that, use it. Otherwise set the access level for each page by hand.

[xyph]

BTW - you should tie your mind up tighter next time

[utevwe]

Kicken what do I need to do?

[ManiacDan]

Read the rest of the posts and click on the links to the session manual, for one.

[Pikachu2000]

That code is obviously from phpeasystep.com. That site has possibly the worst code examples on the web. That site shouldn't be used as a learning resource, unless you want to learn how to write code that hasn't been current in at least ten years.

Edited October 8, 2012 by Pikachu2000
Fixed fat-fingered spelling.

[ManiacDan]

Yes, also, "stop using that site." Most of the content of this thread is good advice, not just Kicken (though Kicken is very smart)

[utevwe]

So guy, can someone please help me out?

[Jessica]

I'm not your guy, pal.

[ManiacDan]

Did you, in any way, read the site on how to properly use sessions? Correct your session code. Fix your loop. Fix your concatenation line. We've specified 4 things that are wrong, even copying and pasting the lines and telling you why they're wrong.

 

If you can't do this yourself, there's a freelancer board where you can pay someone to do it.