php mysql admin area ranking issue

[Harry_Smith]

I am using a barebones script listed as a members area but all it does is give me login and secure pages using the auth.php (code listed below) since I got the script I have added a new column 'Rank' to the database table 'members' with this rank there are 4 ranks:

• Guest
• Blocked/Banned
• Helpers
• Administration

The new page I am creating I want it to use this rank system I added, ranks 3 and 4 get access,
rank 2 I want to redirect to my 403 Access Forbidden located at my main site 'bullwebhost.co.uk/error.php?cmd=403' ,
rank 1 gets a message shown saying 'Welcome Guest print '$_SERVER["REMOTE_ADDR"]; , You have tried accessing a Restricted Area Your IP print '$_SERVER["REMOTE_ADDR"]; has been logged and Webmaster Informed (if possible via phpmail as i cant use smtp) of your accessing this area.

Now For the code
auth.php

//Start session
session_start();

//Check whether the session variable SESS_MEMBER_ID is present or not
if(!isset($_SESSION['SESS_MEMBER_ID']) || (trim($_SESSION['SESS_MEMBER_ID']) == '')) {
header("location: access-denied.php");
exit();
}

Database Structure
 

CREATE TABLE IF NOT EXISTS `members` (
  `member_id` int(11) unsigned NOT NULL AUTO_INCREMENT,
  `Rank` int(11) NOT NULL DEFAULT '1',
  `firstname` varchar(100) DEFAULT NULL,
  `lastname` varchar(100) DEFAULT NULL,
  `login` varchar(100) NOT NULL DEFAULT '',
  `passwd` varchar(32) NOT NULL DEFAULT '',
  PRIMARY KEY (`member_id`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=2 ;

 
config.php

<?php
define('DB_HOST', '****');
define('DB_USER', '****');
define('DB_PASSWORD', '****');
define('DB_DATABASE', '***');
?>

 
Restricted File

require_once('auth.php');
include 'config.php';
$conn = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);
if(! $conn )
{
die('Could not connect: ' . mysql_error());
}
$sql = 'SELECT Rank
FROM members
WHERE Rank="3" or Rank="4"';
mysql_select_db(DB_DATABASE);
$retval = mysql_query( $sql, $conn );
if(! $retval )
{
die('Could not get data: ' . mysql_error());
}
while($row = mysql_fetch_array($retval, MYSQL_ASSOC))
{
print '
<!DOCTYPE html PUBLIC "-//W3C//DTD(I have code for this part) XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>My Profile</title>
<link href="loginmodule.css" rel="stylesheet" type="text/css" />
</head>
<body>
<h1>My Profile </h1>
<a href="member-index.php">Home</a> | <a href="logout.php">Logout</a>
<p>This is another secure page. </p>
</body>
</html>';
}

 
Attempts
Okay I did a more detailed (I think) search and came across something but it didn't work my edited code is below

$sql = mysql_query("SELECT * FROM members WHERE Rank ='3 or 4' AND member_id ='".$_SESSION['SESS_MEMBER_ID']);

 
Code Removed

else {
(redirect to error document)
mysql_close($conn);
}

 
That is all I changed in the Restricted File code above. I still am not getting errors printed I have php errors in htaccess and using the trigger but still blank white screen
Trying to get my question across (not very easy for me),
I am trying to make a page (not giving name of file) that using the auth and config files to do a check for the users rank is either 3 or 4 user gets access, 1 print message 2 redirect to 403 document (easiest way possible) so that even if someone tries to bypass any security in place they still need to be rank 3 or 4 to even see the page contents.

Also possible long shot but what would be the best way to block IP addresses would php and mysql/mysqli (don't know PDO, willing to learn mysqli) or would it be better to use .htaccess for the reason being I wanting to block Loads of IPS but want adding them to be easy and also using my new pages was looking at building forms to add entries, remove entries Viewing the list, (I have code for this part).
What I asking is would I be better of using php and mysql/i or .htaccess because some of the ips are wildcard ips to be banned and redirected to my error document.
Kind regards
Harry Smith

[benanamen]

First thing, you are using deprecated code that will not work at all in the latest version of Php. You need to use PDO or MYsqli with prepared statements. That should be your first order of business. Next, use HTML5.

 

You are incorrectly using the word "Rank". Rank means something else to every programmer. What you are referring to is a role, or access level. Also, for that column name you used upper case. ALWAYS use lower case for column names and variable names. It will save you much trouble.

 

Regarding blocking ip's, @Jaques1 has already gone into detail on these forums about that. Read his posts.

 

Finally,you dont need to manually close the connection. Php does it automatically when the script finishes running.

Edited January 9, 2016 by benanamen

[Harry_Smith]

Thank you benanamen I will look into that now many thanks

 

And also i will find the posts to have a look at them

 

Kind Regards

 

Harry