Edmhar Posted October 26, 2013 Share Posted October 26, 2013 HI, Guys Im back! After i successfully found my solution to problem earlier. I want to ask what code i will add to have limitation to employee to admin can access, My problem is when My Employee Logged in he will direct to localhost/MIS/Webpage/Employee/home.phpThis is the correct for my employee but when i changed the address to localhost/MIS/Webpage/Admin/home.php My Employee can access the admin homepage. this is the problem i want to have limitation of my employee access. so this is my codes of my index.php <?php require 'core.php'; require 'connect.php'; if (loggedin()) { if($_SESSION['type'] == 'ADMINISTRATION'){ header('Location:../Mis/Webpage/Employee/home.php'); }else if($_SESSION['type'] == 'EMPLOYEE'){ header('Location:../Mis/Webpage/Admin/home.php'); } } else{ header('Location:Webpage/index.php'); } ?> this is my loginform <?php include '../../Mis/connect.php'; include '../../Mis/core.php'; if(isset($_POST['eusername']) && isset($_POST['epassword'])){ if(!empty($_POST['eusername']) && !empty($_POST['epassword'])){ $user = mysql_real_escape_string($_POST['eusername']); $pass = mysql_real_escape_string(md5($_POST['epassword'])); $query = "SELECT * FROM tbl_account WHERE LogUsername='".$user."' AND LogPassword = '".$pass."' AND type = 'EMPLOYEE'"; if($query_run = mysql_query($query)){ $query_num_rows = mysql_num_rows($query_run); if($query_num_rows == 0){ echo "<script>alert('Incorrect Pass or User')</script>"; }else{ $user_id = mysql_result($query_run, 0, 'LogUsername'); $_SESSION['user_id']=$user_id; $_SESSION['type'] = "EMPLOYEE"; echo "<script>alert('Employee Login')</script>"; header('Location: ../../Mis/index.php'); } }else{ echo "<script>alert('Connecting Failed')</script>"; } }else{ echo "<script>alert('Sorry, You must supply Username/Password...')</script>"; } } if(isset($_POST['username']) && isset($_POST['password'])){ if(!empty($_POST['username']) && !empty($_POST['password'])){ $user = mysql_real_escape_string($_POST['username']); $pass = mysql_real_escape_string(md5($_POST['password'])); $query = "SELECT * FROM tbl_account WHERE LogUsername='".$user."' AND LogPassword = '".$pass."' AND type = 'ADMINISTRATION'"; if($query_run = mysql_query($query)){ $query_num_rows = mysql_num_rows($query_run); if($query_num_rows == 0){ echo "<script>alert('Incorrect Pass or User')</script>"; }else{ $user_id = mysql_result($query_run, 0, 'LogUsername'); $_SESSION['user_id']=$user_id; $_SESSION['type'] = "ADMINISTRATION"; echo "<script>alert('Admin Login')</script>"; header('Location: ../../Mis/index.php'); } }else{ echo "<script>alert('Connecting Failed')</script>"; } }else{ echo "<script>alert('Sorry, You must supply Username/Password...')</script>"; } } ?> <div id="employee"> <form action="<?php echo $current_file; ?>" method="POST"> Employee ID: <input type="text" name="eusername"> </br> Password: <input type="password" name="epassword"> <input type="submit" id="employeesubmit" value="Log in"> </form> </div> <div id="admin"> <form action="<?php echo $current_file; ?>" method="POST"> Admin ID: <input type="text" name="username"> </br> Password: <input type="password" name="password"> <input type="submit" id="adminsubmit" value="Log in"> </form> </div> This is my core.php <?php ob_start(); session_start(); $current_file = $_SERVER['SCRIPT_NAME']; function loggedin() { if (isset($_SESSION['user_id'])&&!empty($_SESSION['user_id'])) { return true; } else { return false;; } } function adminloggedin() { if (isset($_SESSION['user_id'])&&!empty($_SESSION['user_id'])) { return true; } else { return false;; } } ?> Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted October 26, 2013 Share Posted October 26, 2013 every page must check if the user that is accessing it has the appropriate permission to do so. since you have a type value in your database table, you would test if the type of the current user is an admin or an employee. Quote Link to comment Share on other sites More sharing options...
Edmhar Posted October 26, 2013 Author Share Posted October 26, 2013 every page must check if the user that is accessing it has the appropriate permission to do so. since you have a type value in your database table, you would test if the type of the current user is an admin or an employee. like this? this is the home of my admin i put this <?php include '../../core.php'; if($_SESSION['login'] && $_SESSION['type'] === 'ADMINISTRATION'){ ?> <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <link rel="stylesheet" type="text/css" href="../css/main.css"/> </head> <body> This is Admin. <a href="../../logout.php">Log Out!</a> </body> </html> <?php }else{ header('Location:Webpage/index.php'); } ?> Quote Link to comment Share on other sites More sharing options...
Ch0cu3r Posted October 26, 2013 Share Posted October 26, 2013 Yes, that should work. However I'd change it to this <?php include '../../core.php'; // if the user is not logged in OR they are logged in but they are not part of administration, then redirect to index.php if(!isset($_SESSION['login']) || (isset($_SESSION['type']) && $_SESSION['type'] != 'ADMINISTRATION')) { header('Location:Webpage/index.php'); exit; // stop the script } // load the admin page ?> <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <link rel="stylesheet" type="text/css" href="../css/main.css"/> </head> <body> This is Admin. <a href="../../logout.php">Log Out!</a> </body> </html> Quote Link to comment Share on other sites More sharing options...
alpine Posted October 26, 2013 Share Posted October 26, 2013 I would define access on each page, and determine users levels vs page level Lightweight example: define("THIS_PAGE_LEVEL", 'EMPLOYEE'); // define("THIS_PAGE_LEVEL", 'ADMINISTRATION'); if(isset($_SESSION['usertype'])){ if($_SESSION['usertype'] <> THIS_PAGE_LEVEL){ header('Location:login.php'); exit(); } } else{ header('Location:login.php'); exit(); } echo 'Welcome '.THIS_PAGE_LEVEL; Quote Link to comment Share on other sites More sharing options...
alpine Posted October 26, 2013 Share Posted October 26, 2013 as a sidenote, you can optimize your loginform with an option list instead of 2 login forms, untested version: <?php if(isset($_POST['submit'])){ $err = array(); $required = array( 'eusername', 'epassword' ); foreach($_POST as $field => $value){ if(in_array($field,$required) && empty($value)){ $err[] = $field." cannot be empty"; } else{ ${$field} = mysql_real_escape_string($value); } } switch($_POST['id_type']){ case 'employee': $logintype = 'EMPLOYEE'; break; case 'admin': $logintype = 'ADMINISTRATION'; break; default: $err[] = "Incorrect login type"; } if(!empty($err)){ echo "<ul><li>".implode("</li><li>",$err)."</li></ul>"; } else{ $query = "SELECT * FROM tbl_account WHERE LogUsername='".$eusername."' AND LogPassword = '".$epassword."' AND type = '".$logintype."'"; // run query and set sessions etc } } ?> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST"> ID: <input type="text" name="username"> </br> Password: <input type="password" name="password"> Type: <select name="id_type"> <option value="employee">Employee</option> <option value="admin">Admin</option> </select> <input type="submit" name="submit" id="adminsubmit" value="Log in"> </form> Quote Link to comment Share on other sites More sharing options...
Edmhar Posted October 27, 2013 Author Share Posted October 27, 2013 Thank yo guys will try it Quote Link to comment Share on other sites More sharing options...
Edmhar Posted October 27, 2013 Author Share Posted October 27, 2013 as a sidenote, you can optimize your loginform with an option list instead of 2 login forms, untested version: <?php if(isset($_POST['submit'])){ $err = array(); $required = array( 'eusername', 'epassword' ); foreach($_POST as $field => $value){ if(in_array($field,$required) && empty($value)){ $err[] = $field." cannot be empty"; } else{ ${$field} = mysql_real_escape_string($value); } } switch($_POST['id_type']){ case 'employee': $logintype = 'EMPLOYEE'; break; case 'admin': $logintype = 'ADMINISTRATION'; break; default: $err[] = "Incorrect login type"; } if(!empty($err)){ echo "<ul><li>".implode("</li><li>",$err)."</li></ul>"; } else{ $query = "SELECT * FROM tbl_account WHERE LogUsername='".$eusername."' AND LogPassword = '".$epassword."' AND type = '".$logintype."'"; // run query and set sessions etc } } ?> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST"> ID: <input type="text" name="username"> </br> Password: <input type="password" name="password"> Type: <select name="id_type"> <option value="employee">Employee</option> <option value="admin">Admin</option> </select> <input type="submit" name="submit" id="adminsubmit" value="Log in"> </form> HEY THANK YOU )) VERY USEFUL THANKS Quote Link to comment Share on other sites More sharing options...
Edmhar Posted October 27, 2013 Author Share Posted October 27, 2013 as a sidenote, you can optimize your loginform with an option list instead of 2 login forms, untested version: <?php if(isset($_POST['submit'])){ $err = array(); $required = array( 'eusername', 'epassword' ); foreach($_POST as $field => $value){ if(in_array($field,$required) && empty($value)){ $err[] = $field." cannot be empty"; } else{ ${$field} = mysql_real_escape_string($value); } } switch($_POST['id_type']){ case 'employee': $logintype = 'EMPLOYEE'; break; case 'admin': $logintype = 'ADMINISTRATION'; break; default: $err[] = "Incorrect login type"; } if(!empty($err)){ echo "<ul><li>".implode("</li><li>",$err)."</li></ul>"; } else{ $query = "SELECT * FROM tbl_account WHERE LogUsername='".$eusername."' AND LogPassword = '".$epassword."' AND type = '".$logintype."'"; // run query and set sessions etc } } ?> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST"> ID: <input type="text" name="username"> </br> Password: <input type="password" name="password"> Type: <select name="id_type"> <option value="employee">Employee</option> <option value="admin">Admin</option> </select> <input type="submit" name="submit" id="adminsubmit" value="Log in"> </form> Hey man , it cause an error Notice: Undefined variable: eusername in C:\xampp\htdocs\MIS\login\loginform.php on line 36 Notice: Undefined variable: epassword in C:\xampp\htdocs\MIS\login\loginform.php on line 36 Thank you ) Quote Link to comment Share on other sites More sharing options...
Edmhar Posted October 27, 2013 Author Share Posted October 27, 2013 (edited) as a sidenote, you can optimize your loginform with an option list instead of 2 login forms, untested version: <?php if(isset($_POST['submit'])){ $err = array(); $required = array( 'eusername', 'epassword' ); foreach($_POST as $field => $value){ if(in_array($field,$required) && empty($value)){ $err[] = $field." cannot be empty"; } else{ ${$field} = mysql_real_escape_string($value); } } switch($_POST['id_type']){ case 'employee': $logintype = 'EMPLOYEE'; break; case 'admin': $logintype = 'ADMINISTRATION'; break; default: $err[] = "Incorrect login type"; } if(!empty($err)){ echo "<ul><li>".implode("</li><li>",$err)."</li></ul>"; } else{ $query = "SELECT * FROM tbl_account WHERE LogUsername='".$eusername."' AND LogPassword = '".$epassword."' AND type = '".$logintype."'"; // run query and set sessions etc } } ?> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST"> ID: <input type="text" name="username"> </br> Password: <input type="password" name="password"> Type: <select name="id_type"> <option value="employee">Employee</option> <option value="admin">Admin</option> </select> <input type="submit" name="submit" id="adminsubmit" value="Log in"> </form> Hmm.. Hi I try your code but when i run it will go something like error. webpage do not display like that but it will to my adminhome but i will have no output. Edited October 27, 2013 by Edmhar Quote Link to comment Share on other sites More sharing options...
Ch0cu3r Posted October 27, 2013 Share Posted October 27, 2013 Change the ID and password fields to ID: <input type="text" name="eusername"> </br> Password: <input type="password" name="epassword"> Quote Link to comment Share on other sites More sharing options...
Edmhar Posted October 27, 2013 Author Share Posted October 27, 2013 Oh sorry The output is the website is in indrect loop Quote Link to comment Share on other sites More sharing options...
Edmhar Posted October 27, 2013 Author Share Posted October 27, 2013 Change the ID and password fields to ID: <input type="text" name="eusername"> </br> Password: <input type="password" name="epassword"> your code earlier i think the php code is correct but when it go to loading to the html it go to webpage was in indrect loop wanna see my all codes? Quote Link to comment Share on other sites More sharing options...
Ch0cu3r Posted October 27, 2013 Share Posted October 27, 2013 (edited) You need to change the ID and password form fields to what I suggested and then run the login query else{ $query = "SELECT * FROM tbl_account WHERE LogUsername='".$eusername."' AND LogPassword = '".$epassword."' AND type = '".$logintype."'"; // run query and set sessions etc } The code provided by alpine is just an example, it is not fully working code. You need execute the query above for it do anything, then you add your own logic in to redirect the user to correct page based on the users login type (employee or administrator) Edited October 27, 2013 by Ch0cu3r Quote Link to comment Share on other sites More sharing options...
Edmhar Posted October 27, 2013 Author Share Posted October 27, 2013 You need to change the ID and password form fields to what I suggested and then run the login query else{ $query = "SELECT * FROM tbl_account WHERE LogUsername='".$eusername."' AND LogPassword = '".$epassword."' AND type = '".$logintype."'"; // run query and set sessions etc } The code provided by alpine is just an example, it is not fully working code. You need execute the query above for it do anything, then you add your own logic in to redirect the user to correct page based on the users login type (employee or administrator) its already same variable. but it i change the <? form action= <?php echo $current_file; ?> and it cause access forbidden Quote Link to comment Share on other sites More sharing options...
Edmhar Posted October 27, 2013 Author Share Posted October 27, 2013 Yes, that should work. However I'd change it to this <?php include '../../core.php'; // if the user is not logged in OR they are logged in but they are not part of administration, then redirect to index.php if(!isset($_SESSION['login']) || (isset($_SESSION['type']) && $_SESSION['type'] != 'ADMINISTRATION')) { header('Location:Webpage/index.php'); exit; // stop the script } // load the admin page ?> <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <link rel="stylesheet" type="text/css" href="../css/main.css"/> </head> <body> This is Admin. <a href="../../logout.php">Log Out!</a> </body> </html> I want your this suggestion but it cause Webpage indirect loop Quote Link to comment Share on other sites More sharing options...
Edmhar Posted October 27, 2013 Author Share Posted October 27, 2013 You need to change the ID and password form fields to what I suggested and then run the login query else{ $query = "SELECT * FROM tbl_account WHERE LogUsername='".$eusername."' AND LogPassword = '".$epassword."' AND type = '".$logintype."'"; // run query and set sessions etc } The code provided by alpine is just an example, it is not fully working code. You need execute the query above for it do anything, then you add your own logic in to redirect the user to correct page based on the users login type (employee or administrator) What you think the problem is? hahha Quote Link to comment Share on other sites More sharing options...
alpine Posted October 27, 2013 Share Posted October 27, 2013 I noticed my error on form names but was unable to edit. Rename form inputs to eusername and epassword as commented above. I dont generally dont provide cut and paste code, only suggested methods. You still have to learn php yourself. Here is what you need to run the query in my example. Still not tested and it requires a little kung fu from you. if(!empty($err)){ echo "<ul><li>".implode("</li><li>",$err)."</li></ul>"; } else{ $query = "SELECT LogUsername FROM tbl_account WHERE LogUsername='".$eusername."' AND LogPassword = '".$epassword."' AND type = '".$logintype."'"; $query_run = mysql_query($query); if(mysql_num_rows($query_run) == '1'){ $row = mysql_fetch_row($query_run); $_SESSION['user_id'] = $row[0]; $_SESSION['type'] = $logintype; echo "<script>alert('".$logintype." Login')</script>"; switch($logintype){ case 'ADMINISTRATION': header('Location: ../../ADMIN.php'); exit(); break; default: header('Location: ../../EMPLOYEE.php'); exit(); } }else{ echo "<script>alert('Incorrect Pass or User')</script>"; } } Quote Link to comment Share on other sites More sharing options...
Edmhar Posted October 27, 2013 Author Share Posted October 27, 2013 I noticed my error on form names but was unable to edit. Rename form inputs to eusername and epassword as commented above. I dont generally dont provide cut and paste code, only suggested methods. You still have to learn php yourself. Here is what you need to run the query in my example. Still not tested and it requires a little kung fu from you. if(!empty($err)){ echo "<ul><li>".implode("</li><li>",$err)."</li></ul>"; } else{ $query = "SELECT LogUsername FROM tbl_account WHERE LogUsername='".$eusername."' AND LogPassword = '".$epassword."' AND type = '".$logintype."'"; $query_run = mysql_query($query); if(mysql_num_rows($query_run) == '1'){ $row = mysql_fetch_row($query_run); $_SESSION['user_id'] = $row[0]; $_SESSION['type'] = $logintype; echo "<script>alert('".$logintype." Login')</script>"; switch($logintype){ case 'ADMINISTRATION': header('Location: ../../ADMIN.php'); exit(); break; default: header('Location: ../../EMPLOYEE.php'); exit(); } }else{ echo "<script>alert('Incorrect Pass or User')</script>"; } } Thank you i got this there is some error but so basic so my problem is now is loop when i logged in it go loop Quote Link to comment Share on other sites More sharing options...
alpine Posted October 27, 2013 Share Posted October 27, 2013 Hard to follow what you are using at this stage, are you using this ? if(!isset($_SESSION['login']) || (isset($_SESSION['type']) && $_SESSION['type'] != 'ADMINISTRATION')) { header('Location:Webpage/index.php'); exit; // stop the script } Its passing you on to Webpage/index.php if session "login" isnt set, and i cannot see its being set anywhere ? This means this will always send you to Webpage/index.php. And if Webpage/index.php is checking to see if session "type" is set, it will send you "back" i presume.. and there you have a loop Quote Link to comment Share on other sites More sharing options...
Edmhar Posted October 28, 2013 Author Share Posted October 28, 2013 Hard to follow what you are using at this stage, are you using this ? if(!isset($_SESSION['login']) || (isset($_SESSION['type']) && $_SESSION['type'] != 'ADMINISTRATION')) { header('Location:Webpage/index.php'); exit; // stop the script } Its passing you on to Webpage/index.php if session "login" isnt set, and i cannot see its being set anywhere ? This means this will always send you to Webpage/index.php. And if Webpage/index.php is checking to see if session "type" is set, it will send you "back" i presume.. and there you have a loop nope i using even that cause me loop I use this <?php include '../../core.php'; if($_SESSION['login'] && $_SESSION['type'] === 'ADMINISTRATION'){ ?> <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <link rel="stylesheet" type="text/css" href="../css/main.css"/> </head> <body> This is Admin. <a href="../../logout.php">Log Out!</a> </body> </html> <?php }else{ header('Location:Webpage/index.php'); } ?> Quote Link to comment Share on other sites More sharing options...
alpine Posted October 29, 2013 Share Posted October 29, 2013 Try this, what do you get ? <?php include '../../core.php'; echo "<pre>"; print_r($_SESSION); echo "</pre>"; exit(); if($_SESSION['login'] && $_SESSION['type'] === 'ADMINISTRATION'){ ?> <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <link rel="stylesheet" type="text/css" href="../css/main.css"/> </head> <body> This is Admin. <a href="../../logout.php">Log Out!</a> </body> </html> <?php }else{ header('Location:Webpage/index.php'); } ?> Quote Link to comment Share on other sites More sharing options...
Edmhar Posted October 29, 2013 Author Share Posted October 29, 2013 Try this, what do you get ? <?php include '../../core.php'; echo "<pre>"; print_r($_SESSION); echo "</pre>"; exit(); if($_SESSION['login'] && $_SESSION['type'] === 'ADMINISTRATION'){ ?> <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <link rel="stylesheet" type="text/css" href="../css/main.css"/> </head> <body> This is Admin. <a href="../../logout.php">Log Out!</a> </body> </html> <?php }else{ header('Location:Webpage/index.php'); } ?> Array ( [user_id] => 1131 [type] => ADMINISTRATION [login] => 1 ) This is the output i think it came from core function loggedin() Quote Link to comment Share on other sites More sharing options...
alpine Posted October 29, 2013 Share Posted October 29, 2013 Okay, remove the print_r if($_SESSION['login'] && $_SESSION['type'] === 'ADMINISTRATION'){ You have 3 comparisors === Try with only 2 == Other than that its hard to say whats going on. You just have to do some faultfinding within your files and functions. Quote Link to comment Share on other sites More sharing options...
Edmhar Posted October 29, 2013 Author Share Posted October 29, 2013 Okay, remove the print_r if($_SESSION['login'] && $_SESSION['type'] === 'ADMINISTRATION'){ You have 3 comparisors === Try with only 2 == Other than that its hard to say whats going on. You just have to do some faultfinding within your files and functions. Thank You i wil update you Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.