Jump to content

Recommended Posts

HI, Guys Im back! After i successfully found my solution to problem earlier. I want to ask what code i will add to have limitation to employee to admin can access, 

My problem is when My Employee Logged in he will direct to localhost/MIS/Webpage/Employee/home.php
This is the correct for my employee

 

120m6gg.jpg

 

but when i changed the address to localhost/MIS/Webpage/Admin/home.php

My Employee can access the admin homepage. this is the problem i want to have limitation of  my employee access.

 

2ex4s28.jpg

 

so this is my codes of my index.php

<?php
require 'core.php';
require 'connect.php';


if (loggedin()) {
	 if($_SESSION['type'] == 'ADMINISTRATION'){
		header('Location:../Mis/Webpage/Employee/home.php');
	 }else if($_SESSION['type'] == 'EMPLOYEE'){
		 header('Location:../Mis/Webpage/Admin/home.php');
	 }
}
else{
	header('Location:Webpage/index.php');
}



?>

this is my loginform 

<?php
include '../../Mis/connect.php';
include '../../Mis/core.php';

if(isset($_POST['eusername']) && isset($_POST['epassword'])){
	if(!empty($_POST['eusername']) && !empty($_POST['epassword'])){
		$user = mysql_real_escape_string($_POST['eusername']);
		$pass = mysql_real_escape_string(md5($_POST['epassword']));
			$query = "SELECT * FROM tbl_account WHERE LogUsername='".$user."' AND LogPassword = '".$pass."' AND type = 'EMPLOYEE'";
				if($query_run = mysql_query($query)){
					$query_num_rows = mysql_num_rows($query_run);
						if($query_num_rows == 0){
							echo "<script>alert('Incorrect Pass or User')</script>";
						}else{
							 $user_id = mysql_result($query_run, 0, 'LogUsername');
							 $_SESSION['user_id']=$user_id;
							 $_SESSION['type'] = "EMPLOYEE";
							 echo "<script>alert('Employee Login')</script>";
							 header('Location: ../../Mis/index.php');
						}

				}else{
					echo "<script>alert('Connecting Failed')</script>";
				}


	}else{
		echo "<script>alert('Sorry, You must supply Username/Password...')</script>";

	}
}

if(isset($_POST['username']) && isset($_POST['password'])){
	if(!empty($_POST['username']) && !empty($_POST['password'])){
		$user = mysql_real_escape_string($_POST['username']);
		$pass = mysql_real_escape_string(md5($_POST['password']));
			$query = "SELECT * FROM tbl_account WHERE LogUsername='".$user."' AND LogPassword = '".$pass."' AND type = 'ADMINISTRATION'";
				if($query_run = mysql_query($query)){
					$query_num_rows = mysql_num_rows($query_run);
						if($query_num_rows == 0){
							echo "<script>alert('Incorrect Pass or User')</script>";
						}else{
							 $user_id = mysql_result($query_run, 0, 'LogUsername');
							 $_SESSION['user_id']=$user_id;
							 $_SESSION['type'] = "ADMINISTRATION";
							 echo "<script>alert('Admin Login')</script>";
							 header('Location: ../../Mis/index.php');
						}
				}else{
					echo "<script>alert('Connecting Failed')</script>";
				}


	}else{
		echo "<script>alert('Sorry, You must supply Username/Password...')</script>";

	}
}

?>
<div id="employee">

<form action="<?php echo $current_file; ?>" method="POST">
Employee ID: <input type="text" name="eusername"> </br>
Password: <input type="password" name="epassword">
<input type="submit" id="employeesubmit" value="Log in">
</form>
</div>



<div id="admin">

 <form action="<?php echo $current_file; ?>" method="POST">
Admin ID: <input type="text" name="username"> </br>
Password: <input type="password" name="password">
<input type="submit" id="adminsubmit" value="Log in">
</form>
</div>






This is my core.php

<?php
ob_start();
session_start();
$current_file = $_SERVER['SCRIPT_NAME'];


function loggedin() {
  if (isset($_SESSION['user_id'])&&!empty($_SESSION['user_id'])) {
    return true;
  } else {
    return false;;
  }

}


function adminloggedin() {
  if (isset($_SESSION['user_id'])&&!empty($_SESSION['user_id'])) {
    return true;
  } else {
    return false;;
  }

}



?>

every page must check if the user that is accessing it has the appropriate permission to do so.

 

since you have a type value in your database table, you would test if the type of the current user is an admin or an employee.

every page must check if the user that is accessing it has the appropriate permission to do so.

 

since you have a type value in your database table, you would test if the type of the current user is an admin or an employee.

like this? this is the home of my admin i put this

 

<?php

include '../../core.php';
	
		if($_SESSION['login'] && $_SESSION['type'] === 'ADMINISTRATION'){


?>
<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="utf-8">
	<link rel="stylesheet" type="text/css" href="../css/main.css"/>
</head>
<body>

This is Admin.
<a href="../../logout.php">Log Out!</a>

</body>


</html>
<?php

}else{
	header('Location:Webpage/index.php');
}

?>

Yes, that should work. However I'd change it to this

<?php

include '../../core.php';

// if the user is not logged in OR they are logged in but they are not part of administration, then redirect to index.php
if(!isset($_SESSION['login']) || (isset($_SESSION['type']) && $_SESSION['type'] != 'ADMINISTRATION')) {
	header('Location:Webpage/index.php');
	exit; // stop the script
}

// load the admin page
?>
<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="utf-8">
	<link rel="stylesheet" type="text/css" href="../css/main.css"/>
</head>
<body>

This is Admin.
<a href="../../logout.php">Log Out!</a>

</body>
</html>

I would define access on each page, and determine users levels vs page level

Lightweight example:

define("THIS_PAGE_LEVEL", 'EMPLOYEE');
// define("THIS_PAGE_LEVEL", 'ADMINISTRATION');

if(isset($_SESSION['usertype'])){
 
  if($_SESSION['usertype'] <> THIS_PAGE_LEVEL){
    header('Location:login.php');
    exit();
  }

}
else{
  header('Location:login.php');
  exit();
}
	
	
echo 'Welcome '.THIS_PAGE_LEVEL;

as a sidenote, you can optimize your loginform with an option list instead of 2 login forms,

untested version:

<?php

if(isset($_POST['submit'])){
 
       $err = array();

       $required = array(
	  'eusername',
	  'epassword'
	);
	
	foreach($_POST as $field => $value){
	  if(in_array($field,$required) && empty($value)){
	    $err[] = $field." cannot be empty";
          }
	  else{
	    ${$field} = mysql_real_escape_string($value);
	  }
	}
	
	switch($_POST['id_type']){
	  case 'employee':
	  $logintype = 'EMPLOYEE';
	  break;
	  case 'admin':
          $logintype = 'ADMINISTRATION';
	  break;
	  default:
	  $err[] = "Incorrect login type";
	}
	
	if(!empty($err)){
	  echo "<ul><li>".implode("</li><li>",$err)."</li></ul>";
	}
	else{
	  $query = "SELECT * FROM tbl_account WHERE LogUsername='".$eusername."' AND LogPassword = '".$epassword."' AND type = '".$logintype."'";
	  // run query and set sessions etc

        }
	
}

?>

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST">

ID: <input type="text" name="username"> </br>

Password: <input type="password" name="password">

Type:
<select name="id_type">
<option value="employee">Employee</option>
<option value="admin">Admin</option>
</select>

<input type="submit" name="submit" id="adminsubmit" value="Log in">

</form>

 

as a sidenote, you can optimize your loginform with an option list instead of 2 login forms,

untested version:

<?php

if(isset($_POST['submit'])){
 
       $err = array();

       $required = array(
	  'eusername',
	  'epassword'
	);
	
	foreach($_POST as $field => $value){
	  if(in_array($field,$required) && empty($value)){
	    $err[] = $field." cannot be empty";
          }
	  else{
	    ${$field} = mysql_real_escape_string($value);
	  }
	}
	
	switch($_POST['id_type']){
	  case 'employee':
	  $logintype = 'EMPLOYEE';
	  break;
	  case 'admin':
          $logintype = 'ADMINISTRATION';
	  break;
	  default:
	  $err[] = "Incorrect login type";
	}
	
	if(!empty($err)){
	  echo "<ul><li>".implode("</li><li>",$err)."</li></ul>";
	}
	else{
	  $query = "SELECT * FROM tbl_account WHERE LogUsername='".$eusername."' AND LogPassword = '".$epassword."' AND type = '".$logintype."'";
	  // run query and set sessions etc

        }
	
}

?>

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST">

ID: <input type="text" name="username"> </br>

Password: <input type="password" name="password">

Type:
<select name="id_type">
<option value="employee">Employee</option>
<option value="admin">Admin</option>
</select>

<input type="submit" name="submit" id="adminsubmit" value="Log in">

</form>

HEY THANK YOU :))) VERY USEFUL THANKS :)

 

as a sidenote, you can optimize your loginform with an option list instead of 2 login forms,

untested version:

<?php

if(isset($_POST['submit'])){
 
       $err = array();

       $required = array(
	  'eusername',
	  'epassword'
	);
	
	foreach($_POST as $field => $value){
	  if(in_array($field,$required) && empty($value)){
	    $err[] = $field." cannot be empty";
          }
	  else{
	    ${$field} = mysql_real_escape_string($value);
	  }
	}
	
	switch($_POST['id_type']){
	  case 'employee':
	  $logintype = 'EMPLOYEE';
	  break;
	  case 'admin':
          $logintype = 'ADMINISTRATION';
	  break;
	  default:
	  $err[] = "Incorrect login type";
	}
	
	if(!empty($err)){
	  echo "<ul><li>".implode("</li><li>",$err)."</li></ul>";
	}
	else{
	  $query = "SELECT * FROM tbl_account WHERE LogUsername='".$eusername."' AND LogPassword = '".$epassword."' AND type = '".$logintype."'";
	  // run query and set sessions etc

        }
	
}

?>

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST">

ID: <input type="text" name="username"> </br>

Password: <input type="password" name="password">

Type:
<select name="id_type">
<option value="employee">Employee</option>
<option value="admin">Admin</option>
</select>

<input type="submit" name="submit" id="adminsubmit" value="Log in">

</form>

Hey man , it cause an  error 

 

Notice: Undefined variable: eusername in C:\xampp\htdocs\MIS\login\loginform.php on line 36

 

Notice: Undefined variable: epassword in C:\xampp\htdocs\MIS\login\loginform.php on line 36 

 

Thank you :))

 

as a sidenote, you can optimize your loginform with an option list instead of 2 login forms,

untested version:

<?php

if(isset($_POST['submit'])){
 
       $err = array();

       $required = array(
	  'eusername',
	  'epassword'
	);
	
	foreach($_POST as $field => $value){
	  if(in_array($field,$required) && empty($value)){
	    $err[] = $field." cannot be empty";
          }
	  else{
	    ${$field} = mysql_real_escape_string($value);
	  }
	}
	
	switch($_POST['id_type']){
	  case 'employee':
	  $logintype = 'EMPLOYEE';
	  break;
	  case 'admin':
          $logintype = 'ADMINISTRATION';
	  break;
	  default:
	  $err[] = "Incorrect login type";
	}
	
	if(!empty($err)){
	  echo "<ul><li>".implode("</li><li>",$err)."</li></ul>";
	}
	else{
	  $query = "SELECT * FROM tbl_account WHERE LogUsername='".$eusername."' AND LogPassword = '".$epassword."' AND type = '".$logintype."'";
	  // run query and set sessions etc

        }
	
}

?>

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST">

ID: <input type="text" name="username"> </br>

Password: <input type="password" name="password">

Type:
<select name="id_type">
<option value="employee">Employee</option>
<option value="admin">Admin</option>
</select>

<input type="submit" name="submit" id="adminsubmit" value="Log in">

</form>

Hmm.. Hi I try your code but when i run it will go something like error. webpage do not display like that but it will to my adminhome but i will have no output. 

Edited by Edmhar

 

Change the ID and password fields to

ID: <input type="text" name="eusername"> </br>
Password: <input type="password" name="epassword">

your code earlier i think the php code is correct  but when it go to loading to the html it go to webpage was in indrect loop 

 

wanna see my all codes?

You need to change the ID and password form fields to what I suggested and then run the login query

	else{
	  $query = "SELECT * FROM tbl_account WHERE LogUsername='".$eusername."' AND LogPassword = '".$epassword."' AND type = '".$logintype."'";
	  // run query and set sessions etc

        }

The code provided by alpine is just an example, it is not fully working code. You need execute the query above for it do anything, then you add your own logic in to redirect the user to correct page based on the users login type (employee or administrator)

Edited by Ch0cu3r

You need to change the ID and password form fields to what I suggested and then run the login query

	else{
	  $query = "SELECT * FROM tbl_account WHERE LogUsername='".$eusername."' AND LogPassword = '".$epassword."' AND type = '".$logintype."'";
	  // run query and set sessions etc

        }

The code provided by alpine is just an example, it is not fully working code. You need execute the query above for it do anything, then you add your own logic in to redirect the user to correct page based on the users login type (employee or administrator)

its already same variable.  but it i change the <? form action= <?php echo $current_file; ?> 

and it cause access forbidden 

 

Yes, that should work. However I'd change it to this

<?php

include '../../core.php';

// if the user is not logged in OR they are logged in but they are not part of administration, then redirect to index.php
if(!isset($_SESSION['login']) || (isset($_SESSION['type']) && $_SESSION['type'] != 'ADMINISTRATION')) {
	header('Location:Webpage/index.php');
	exit; // stop the script
}

// load the admin page
?>
<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="utf-8">
	<link rel="stylesheet" type="text/css" href="../css/main.css"/>
</head>
<body>

This is Admin.
<a href="../../logout.php">Log Out!</a>

</body>
</html>

I want your this suggestion but it cause Webpage indirect loop 

You need to change the ID and password form fields to what I suggested and then run the login query

	else{
	  $query = "SELECT * FROM tbl_account WHERE LogUsername='".$eusername."' AND LogPassword = '".$epassword."' AND type = '".$logintype."'";
	  // run query and set sessions etc

        }

The code provided by alpine is just an example, it is not fully working code. You need execute the query above for it do anything, then you add your own logic in to redirect the user to correct page based on the users login type (employee or administrator)

What you think the problem is? hahha

I noticed my error on form names but was unable to edit. Rename form inputs to eusername and epassword as commented above.

 

I dont generally dont provide cut and paste code, only suggested methods. You still have to learn php yourself.

 

Here is what you need to run the query in my example. Still not tested and it requires a little kung fu from you.

	if(!empty($err)){
	  echo "<ul><li>".implode("</li><li>",$err)."</li></ul>";
	}
	else{

	  $query = "SELECT LogUsername FROM tbl_account WHERE LogUsername='".$eusername."' AND LogPassword = '".$epassword."' AND type = '".$logintype."'";

	  $query_run = mysql_query($query);

	  if(mysql_num_rows($query_run) == '1'){

	    $row = mysql_fetch_row($query_run);

	    $_SESSION['user_id'] = $row[0];
	    $_SESSION['type'] = $logintype;
	  
            echo "<script>alert('".$logintype." Login')</script>";
	  
            switch($logintype){
	      case 'ADMINISTRATION':
	      header('Location: ../../ADMIN.php');
	      exit();
	      break;
	      default:
	      header('Location: ../../EMPLOYEE.php');
	      exit();
	    }

	  }else{
	    echo "<script>alert('Incorrect Pass or User')</script>";
	  }
        }

 

I noticed my error on form names but was unable to edit. Rename form inputs to eusername and epassword as commented above.

 

I dont generally dont provide cut and paste code, only suggested methods. You still have to learn php yourself.

 

Here is what you need to run the query in my example. Still not tested and it requires a little kung fu from you.

	if(!empty($err)){
	  echo "<ul><li>".implode("</li><li>",$err)."</li></ul>";
	}
	else{

	  $query = "SELECT LogUsername FROM tbl_account WHERE LogUsername='".$eusername."' AND LogPassword = '".$epassword."' AND type = '".$logintype."'";

	  $query_run = mysql_query($query);

	  if(mysql_num_rows($query_run) == '1'){

	    $row = mysql_fetch_row($query_run);

	    $_SESSION['user_id'] = $row[0];
	    $_SESSION['type'] = $logintype;
	  
            echo "<script>alert('".$logintype." Login')</script>";
	  
            switch($logintype){
	      case 'ADMINISTRATION':
	      header('Location: ../../ADMIN.php');
	      exit();
	      break;
	      default:
	      header('Location: ../../EMPLOYEE.php');
	      exit();
	    }

	  }else{
	    echo "<script>alert('Incorrect Pass or User')</script>";
	  }
        }

Thank you i got this there is some error but so basic 

so my problem is now is loop  when i logged in it go loop 

Hard to follow what you are using at this stage, are you using this ?

if(!isset($_SESSION['login']) || (isset($_SESSION['type']) && $_SESSION['type'] != 'ADMINISTRATION')) {
	header('Location:Webpage/index.php');
	exit; // stop the script
}

Its passing you on to Webpage/index.php if session "login" isnt set, and i cannot see its being set anywhere ?

This means this will always send you to Webpage/index.php. And if Webpage/index.php is checking to see if session "type" is set, it will send you "back" i presume.. and there you have a loop

 

 

Hard to follow what you are using at this stage, are you using this ?

if(!isset($_SESSION['login']) || (isset($_SESSION['type']) && $_SESSION['type'] != 'ADMINISTRATION')) {
	header('Location:Webpage/index.php');
	exit; // stop the script
}

Its passing you on to Webpage/index.php if session "login" isnt set, and i cannot see its being set anywhere ?

This means this will always send you to Webpage/index.php. And if Webpage/index.php is checking to see if session "type" is set, it will send you "back" i presume.. and there you have a loop

 

nope i using even that cause me loop 

 

I use this

<?php

include '../../core.php';
	
		if($_SESSION['login'] && $_SESSION['type'] === 'ADMINISTRATION'){


?>
<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="utf-8">
	<link rel="stylesheet" type="text/css" href="../css/main.css"/>
</head>
<body>

This is Admin.
<a href="../../logout.php">Log Out!</a>

</body>


</html>
<?php

}else{
	header('Location:Webpage/index.php');
}

?>

 

Try this, what do you get ?

<?php

include '../../core.php';

echo "<pre>";
print_r($_SESSION);
echo "</pre>";

exit();
	
		if($_SESSION['login'] && $_SESSION['type'] === 'ADMINISTRATION'){


?>
<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="utf-8">
	<link rel="stylesheet" type="text/css" href="../css/main.css"/>
</head>
<body>

This is Admin.
<a href="../../logout.php">Log Out!</a>

</body>


</html>
<?php

}else{
	header('Location:Webpage/index.php');
}

?>

 

Try this, what do you get ?

<?php

include '../../core.php';

echo "<pre>";
print_r($_SESSION);
echo "</pre>";

exit();
	
		if($_SESSION['login'] && $_SESSION['type'] === 'ADMINISTRATION'){


?>
<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="utf-8">
	<link rel="stylesheet" type="text/css" href="../css/main.css"/>
</head>
<body>

This is Admin.
<a href="../../logout.php">Log Out!</a>

</body>


</html>
<?php

}else{
	header('Location:Webpage/index.php');
}

?>

Array

(

[user_id] => 1131

[type] => ADMINISTRATION

[login] => 1

)

 

This is the output

 

i think it came from core 

function loggedin()

Okay,

 

remove the print_r

if($_SESSION['login'] && $_SESSION['type'] === 'ADMINISTRATION'){

You have 3 comparisors ===

Try with only 2 ==

 

Other than that its hard to say whats going on. You just have to do some faultfinding within your files and functions.

Okay,

 

remove the print_r

if($_SESSION['login'] && $_SESSION['type'] === 'ADMINISTRATION'){

You have 3 comparisors ===

Try with only 2 ==

 

Other than that its hard to say whats going on. You just have to do some faultfinding within your files and functions.

Thank You :) i wil update you 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.