Need Help Creating User Access Level When Logging In

[eldan88]

Hey,

 

I am trying to create a user access level. I created a coloum in on of my tables named usr_access_lvl, and enterned a value of 0. This value is assigned to my clients, for when they log in they can only access 2 pages on my cms. I have also enterned a value of 1. That is for the admistrator like my self , and 1 gives access to all pages. The problem I am facing is when I log in as a client, with a user access of 0 it gives me access to all pages, when it shouldn't.

 

On the login page I have asked mysql to fetch the array usr_access_lvl out of the user and assign it to a session names access $_SESSION['access'] below is the code i used for the loginpage

<?php ob_start();
require("session.php");

?>
<?php
if(isset($_POST['submit'])) {
$username = $_POST['username'];
$password = $_POST['password'];
//$hashed_password = sha1($password);

$query = "SELECT tablecoloumn1, tablecoloumn2 ";
$query .= "FROM table ";
$query .= "WHERE username = '{$username}' ";
$query .= "AND hashed_password = '{$password}' ";
$query .= " LIMIT 1 ";
$result = mysql_query($query);
confirm_query($result);
if(mysql_num_rows($result) == 1) {
$found_user = mysql_fetch_array($result);
$_SESSION['user_id'] = $found_user['id'];
$_SESSION['username'] = $found_user['usrname'];
$_SESSION["access"] = $found_user['usr_access_lvl'];
goto_page("linkgoeshere.php);
// Success

} else {
// Incorrect username and password
$message = "Sorry your username or password is incorrect<br />";
 $message .= "Please contact Simplemenu.com at 646-397-5751 for assistance";
 }
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title></title>
</head>
<body>
<?php if(!empty($message)) {echo $message;} ?>
<form action="login.php" method="post">
Username: <input type="text" name="username" value="" /><br />
Password <input type="password" name="password" value="" /><br />
<input type="submit" name="submit" value="submit" />
</form>
<?php ob_end_flush ?>
</body>
</html>

 

And below is the code I use that confirms the access if the user level is 0 redirect back to the log in page.

 

<?php require("session.php");
ob_start();
if (confirmed_logged_in() && $_SESSION['access'] == 0) {
goto_page("http://login.php");
}

 

This is my confirmed_ logged in function

function confirmed_logged_in(){
return isset($_SESSION['user_id']);
}

 

Any help would be greatly appreciated. Thanks

Edited December 9, 2012 by eldan88

[MDCode]

$query = "SELECT tablecoloumn1, tablecoloumn2 ";
$query .= "FROM table ";
$query .= "WHERE username = '{$username}' ";
$query .= "AND hashed_password = '{$password}' ";
$query .= " LIMIT 1 ";
$result = mysql_query($query);
confirm_query($result);
if(mysql_num_rows($result) == 1) {
$found_user = mysql_fetch_array($result);
$_SESSION['user_id'] = $found_user['id'];
$_SESSION['username'] = $found_user['usrname'];
$_SESSION["access"] = $found_user['usr_access_lvl'];

 

Take a look at how many columns you are selecting and how many sessions you are setting

Edited December 9, 2012 by SocialCloud

[eldan88]

Wow just just noticed that! Thanks a lot! It solved the issue!

[PFMaBiSmAd]

That actually means you WEREN'T logged in and your code allowed you to access the page.

 

Read your logic - if (confirmed_logged_in() && $_SESSION['access'] == 0) redirect to some other page.

 

What happens if the first term is false (not logged in), then you don't redirect either.

 

What you are trying to do is - if logged in && access == admin, stay on the page. To complement that, you negate both conditions and use an || -

 

if not logged in || access != admin, redirect.