User's Acess

[jopereira]

i'm trying to creat 2 kind of acess from registered users

the administrators and the normal members

 

what I thought that I could use is the folowing:

<?php
// Recebemos os dados digitados pelo utilizador
$util = $_POST['utilizador'];
$pass = $_POST['password']; 
$acess = $_POST['acesso'];


$conn = mysql_connect("localhost", "root", "") or die("Impossivel conectar");

if($conn)
	{
		mysql_select_db("eventos", $conn);	
		} 

		$sql = "SELECT * FROM utilizador WHERE login = '$util' AND senha = '$pass' and acesso = $acess";		
	
		$rs = mysql_query($sql, $conn);		

		$num = mysql_num_rows($rs);

		if($num > 0)
			{

			$rst = mysql_fetch_array($rs);
				$id 	= $rst["id"];
				//$nome 	= $rst["nome"];
				$login 	= $rst["login"];
				$acess = $rst["acesso"];
				//Inicia a sessão
				session_start();


				$_SESSION["utilizador"]	= $login;

				mysql_close($conn);

				echo "<meta http-equiv='refresh' content='0;URL=index.php'>";
			}
else
		{

			mysql_close($conn);

			echo "<table width='100%' border='1' cellpadding='3' cellspacing='1' bgcolor='#FFFFFF'>";
			echo "</table>";
			echo "<b>Nenhum utilizador foi encontrado com os dados introduzidos... Por favor, tente novamente. Obrigado</b>";
			echo "<meta URL=acessCheck.php?acesso=$acess\">";
			echo "<meta http-equiv='refresh' content='4;URL=index.php?>";
		}
?>

in this piece of code, along with the username and password saving, I also have the $acess varaible which keeps "1" or "2", and in the end it sends the value in the <meta> tag to "acessCheck.php"

1=members acess, 2=administrator acess

 

acessCheck.php:

<?php
$conn = mysql_connect("localhost", "root", "") or die("Impossivel conectar");

$id = $_SESSION['id']; // session member id
$acess = intval($_GET['acesso']);
$sql = mysql_query("SELECT * FROM utilizador WHERE acesso='$acess'");
$sqlM = mysql_fetch_assoc($sql);
$membro = $sqlM['acesso']; // Isto pega o nivel do membro

if($membro == 2)
{
            echo "<p align=left>Bem-vindo(a) ". $_SESSION['utilizador']."</p>";   //mostra informação da sessão
            echo "<p align=right><a href=admin.php>Administrar</a></p>";
            echo "<p align=right><a href=logout.php>Log Out</a></p>";            
}
else if ($membro == 1) {
            echo "<p align=left>Bem-vindo(a) ". $_SESSION['utilizador']."</p>";   //mostra informação da sessão
            echo "<p align=right><a href=logout.php>Log Out</a></p>";   
}
else {
            include("login.php");
            }
?>

and I include acessCheck.php into "index.php" in this piece of code below

...
            <?php         if (isset($_SESSION['utilizador']))
            {
            //echo "<li><a href='#'>Admin</a></li>";
            include ("acessCheck.php");  
            }
            
                echo "<br>";
                echo "<br>";
            ?>

...

althought this is returning me this error:

 

Notice: Undefined index: id in C:\xampp\htdocs\xampp\eventos\acessCheck.php on line 4

Notice: Undefined index: acesso in C:\xampp\htdocs\xampp\eventos\acessCheck.php on line 5

Warning: mysql_fetch_assoc() expects parameter 1 to be resource, boolean given in C:\xampp\htdocs\xampp\eventos\acessCheck.php on line 7

 

for what I know, if it is returning boolen, which in this case it is status "false".. i understand the select didn't select anything according to the conditions..

I've already checked if the parameter $acess sent was the same everywhere and it is.. my guess is that that <meta> is not doing so good

what do you think?

Edited March 3, 2013 by jopereira

[Christian F.]

Please read the following post on how to debug your SQL errors.

 

Also, the "undefined index" notices you get means that there is no data in the $_SESSION and $_GET, with those indices. You need to figure out why, and handle this situation properly.

[teynon]

http://coding.smashingmagazine.com/2011/11/30/a-guide-to-php-error-messages-for-designers/

 

Read this before you post about error messages.

[jopereira]

I know what causes the error, I just need some hints to do this welldone, before I care about the erros.. even if I correct them as they are, it wouldnt do what I wanted..

before fighting the errors I need to know if this is going to work as I want when I solve them,

 

I've got this acessChack.php to compare what level of acess the user is, 1 = member, 2 = admin, else = none, and those numbers are sent to $acess by parameter on the validate login script (the first piece of code in my first post in this topic)

my guess is that

echo "<meta URL=acessCheck.php?acesso=$acess\">";

is not working, but I need your experience and opinion.

I need to know if I'm thinking well, else even if i solve the problems i'de have to do it all over again

[jopereira]

i just need to know if my theory how to this is correct

[Christian F.]

Why are you relying upon the client to send you the access ID (or level)? Doing it this way means that it is trivial for the user to modify it, as he like.

Better to keep all that in the server, and store the access level in the session.

[jopereira]

Why are you relying upon the client to send you the access ID (or level)? Doing it this way means that it is trivial for the user to modify it, as he like.

Better to keep all that in the server, and store the access level in the session.

hm..

by my understanding i'm getting the acess id ($acess) when the user validates successfully the session (introduces login and password, than press login)

after log in is made successfully, that <meta tag> send the $acess, to checkAcess.php and then there is another <meta> - the user is redirected to index page (home)

 

how can he possibily edit his acess level?

so as soon as he's redirected, he's acess level is known, and according to it, he will or will not have acess to certain links

 

am I wrong?

Edited March 3, 2013 by jopereira

[Christian F.]

If it's in the HTML code, the user can change it easily. If it's in cookie, it can also be changed (almost) as easily.

Not that I see the need to redirect the user at any point to check the access level. So I suspect that you've made this more complicated than what it needs to be. I usually check the access level when the use first tries to view the page, and if it fails then I show him an error message and/or redirect to a login form.

 

At no point does anything other than the session ID cookie gets sent to the user, nor retrieved.

[jopereira]

If it's in the HTML code, the user can change it easily. If it's in cookie, it can also be changed (almost) as easily.

Not that I see the need to redirect the user at any point to check the access level. So I suspect that you've made this more complicated than what it needs to be. I usually check the access level when the use first tries to view the page, and if it fails then I show him an error message and/or redirect to a login form.

 

At no point does anything other than the session ID cookie gets sent to the user, nor retrieved.

i understand, but that would only work if the webpage already shown all possible links..

in my case, it automatecly prevents a normal user to see admin links

 

in a lytheral way, acesscheck.php works:

if user acess = admin

echo admin menu

echo welcome

 

if user acess = member

echo welcome

 

else

echo

include login.php

 

but mb as soon has the login is made it should check after the session_start what's he's acess level?

Edited March 3, 2013 by jopereira

[Christian F.]

Showing the links or not has nothing to do with checking permissions upon viewing the file. Assume that all users see all links, and act accordingly. That means checking, at the top of the page, if the user has the necessary privileges to access it.

A simple block like this will do:

if ($user->access != 'admin') {
    die('You do not not have the required privileges to open this page.');
}

Of course, that's a very crude example.

 

Also, every page request is a separate event from the previous. Apart from the session, if you've started one, there is absolutely nothing which connects two page loads. If you want information from one page to be accessible on another, you need to send it. Either via the URL (ID and stuff like that, most likely to identify pages or sub-resources), via a form (which requires user-input/modification), or via the session (for everything that the user should not be able to see or touch).

 

This whole setup of yours seems to be overly complicated and with no clear idea behind it.

Did you sit down and plan it out (I mean reall plan it out) before you started, or is this something you're trying to solve as you write the code? If the latter then I recommend you to stop. Leave the code be for the time being, and write up a detailed plan for exactly what you want each page, and each page of functionality, do.

[jopereira]

 

Showing the links or not has nothing to do with checking permissions upon viewing the file. Assume that all users see all links, and act accordingly. That means checking, at the top of the page, if the user has the necessary privileges to access it.

A simple block like this will do:

if ($user->access != 'admin') {
    die('You do not not have the required privileges to open this page.');
}

Of course, that's a very crude example.

 

Also, every page request is a separate event from the previous. Apart from the session, if you've started one, there is absolutely nothing which connects two page loads. If you want information from one page to be accessible on another, you need to send it. Either via the URL (ID and stuff like that, most likely to identify pages or sub-resources), via a form (which requires user-input/modification), or via the session (for everything that the user should not be able to see or touch).

 

This whole setup of yours seems to be overly complicated and with no clear idea behind it.

Did you sit down and plan it out (I mean reall plan it out) before you started, or is this something you're trying to solve as you write the code? If the latter then I recommend you to stop. Leave the code be for the time being, and write up a detailed plan for exactly what you want each page, and each page of functionality, do

it's a school project with already some weeks of work, and before starting I made a presentation along with the plan, but I'm not a guy to always get stick to the plan.. there's some ideias i get while writing code and some i can improve..

 

in this case, ofc i had it planed, but I wasen't, and I'm not sure what is the best way to implement it with the code i have, and that's what we descussing here

 

so, for your post, I understand I should check the acess always the user acess to another page?

Edited March 3, 2013 by jopereira

[teynon]

Ok, this thread seems like it will never end given the current situation.

 

You need to clearly define your problem. Your first post referenced error messages and when you were replied to, you pretty much changed what the entire question was about.

 

I can say a few things about your code, though.

1) Yes, you should not be using the meta redirect in your login script.

echo "<meta http-equiv='refresh' content='0;URL=index.php'>";

 

Instead, you should use a header redirect.

header("Location: index.php");
die();

 

2) Administrative functions should be separated and blocked, as Christian has stated. You need to read up on PHP login systems and read up on login security. It's likely that given your experience (based on the code posted), that you will have multiple security vulnerabilities straight from the start. I can already identify multiple major security vulnerabilities like SQL Injection. So the best solution for you is to read up. Secondly, this is a school project, so I think the best way for you to learn is to just try and do it. It might seem harsh, but the best way for you to learn how to do it is to try it.

 

https://www.google.com/webhp?q=PHP+login+tutorial