User level php script

[maprixx]

SQL.ink.php file:

 

$db_user = "test"; // Username
$db_pass = "test"; // Password
$db_database = "test"; // Database Name
$db_host = "test"; // Server Hostname

// DO NOT EDIT ANYTHING AFTER THIS LINE!
$db_connect = @mysql_connect ($db_host, $db_user, $db_pass);
$db_select = @mysql_select_db ($db_database);

 

page.php

 

include("sql.inc.php");

$q = mysql_query("SELECT * FROM `table` WHERE group = '5'") or die (mysql_error());
$r = mysql_fetch_array($q);

if($r['group'] == "1") {
// has access
} else {
// Doesnt have access
}

 

I have modified a user level php script, but it does not work :S I only get a grey page when i try to access it. I want that group number 1 cant access the site, but group number 5 can. Could you help me please

 

[Jessica]

Select * where group = 5

Then if group == 1 do something

 

 

How does that make any sense??

 

Neither of your cases do anything though.

[maprixx]

Select * where group = 5

Then if group == 1 do something

 

 

How does that make any sense??

 

Neither of your cases do anything though.

Hehe, cant php so much ^^ Could you help me out to make it right

[mac_gyver]

how do you know who the current visitor is in your code? you would need to use that information in the query, wouldn't you?

[maprixx]

No you dont need that. The whole website has usergroups to every page

[Jessica]

How do you know what user is viewing the page?

[mac_gyver]

so, then my question becomes - how do you know what group the current visitor is in? you would need to use that information in the query, wouldn't you?

 

your query contains NOTHING that ties it to the current visitor, therefore it cannot work and needs to contain something that contains the group membership of the current visitor.

[maprixx]

hehe like i sayd I am a noob in php, maybe you can give me some links how i can track the visitors

[Jessica]

So it sounds like you don't have any kind of authentication in place already. Do your users register and login?

[maprixx]

Ye they register. And after that they have access to everything. But i want to block some sites so that they have to pay for it through

 

 paypal. 

[Jessica]

So how does your site know if a visitor is logged in or not?

[maprixx]

I am using a session script. Link to it:

http://pastebin.com/fRqLSYaG

[maprixx]

And here is the process script:

http://pastebin.com/dWCwzJG8

[Jessica]

I'm not really interested in reading your code.

 

The point is you know what user is logged in. You then need to determine if the user who is logged in is in the right group to view the page.

 

What are you stuck on?

[maprixx]

Okay i think i understand now. Can i do it like this:

 

When user signs in i Serialize the information I want to hold in my session.

 

"$userinfo = $row['userid'].','.$row['privs'];

$_SESSION['user'] = base64_encode(serialize($userinfo));"

 

And then i would then just unserialize the session and define variables with the values...:

 

// Fetch User Information

$member = unserialize(base64_decode($_SESSION['user']));
$mdata = explode(',',$member);
// Assign User Info
define ("USERID",$mdata[0]);
define ("PRIVS",$mdata[1]);

 

Then on one of my pages i would put:

 

// Check User Permissions
if (PRIVS < "3") { // Check to see if user is LEVEL 3 or higher
@header("Location:index.php?p=denied");// Send them to denied page
die("<script>window.location='index.php?p=denied';</script>"); //js redirect backup
}

[Jessica]

You should store in the session the user's ID, and a unique value to each user, which is also stored in the database (not their password). Use this to select the user's info when you need to use it. There's no need to use base64 encoding, or serializing (you're serializing a string, btw. Useless upon useless.)

 

Make sure to add a die() after your header, and don't ever suppress errors.