User permissions in login script

[dessolator]

Hiya, I'm new to php so this question should hopefully be easy to answer, I have just created a user area script with all the change password, delete user parts etc and I want to have different user permissons for 3 user groups i.e. admin, staff and students can only see pages that are permissible for their own user group. I have set up the mysql database with UID, Username, Password and Permissions in a table called members.

 

Login.php

I want it so that if the value of the permissions column = 1 (admin user) it goes to a specific page i.e. loggedin_admin.php and the same for 2 (staff) and 3 (students) when they try to login. I'm using sessions to prevent access to certain pages, i think its possible to add another check to see if the session is registered like "if(!session_is_registered(permissionslevel=1)){" for the user permissions so if it is anything other than 1 it wont let the user in and vice versa for permissions level 2 and 3.

 

This is what I have so far in my logincheck.php file but with the connection details filled in, but it isn't working. I would really appreciate it if you could take a look and advise me, its just showing a blank screen, but worked before I added all the if permissions = 1 stuff.

 

<?php
ob_start();
$host=""; // Host name
$username=""; // Mysql username
$password=""; // Mysql password
$db_name=""; // Database name
$tbl_name=""; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=md5($_POST['mypassword']);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
$permissionssql="SELECT permissions FROM members";
$permissionssqlresult=mysql_query($permissionssql);
if(permissions==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("location:login_success.php?username1=$myusername");
if(permissions==2){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("location:login_success2.php?username1=$myusername");
if(permissions==3){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("location:login_success3.php?username1=$myusername");
}
}
}
}
else {
echo "Wrong Username or Password!";
echo "<br>";
echo "Redirecting to the homepage in 5 seconds.";
echo "<html><head></html>";
echo '<html><meta http-equiv="refresh" content="5; URL=index.php"></html>';
echo "<html></head></html>";
}

ob_end_flush();
?>

 

 

Thanks very much for your time and help.

 

Ian

[MmmVomit]

Here are two options.

 

1) You send everyone to the same page on login and alter what is displayed based on the user's permissions

 

2) Send everyont to a page the checks the user permissions, then redirects to the proper page.

[littledragon]

Umm...

 

Questions:

Where do you store the user's permissions?  in the user table, no?  So why does the query only say "SELECT permissions FROM members"?  Isn't that going to give you an array of all the permissions?

 

The if statements all close in the same place... the "if(permissions==2){" and "if(permissions==3){" statements are all enclosed within the bracket for "if(permissions==1){".  They should each end before the next, like

 

if(permissions==1){
//do this
}

if(permissions==2){
//do something else
}

 

or else use if - elseif - else like:

 

if(permissions==1){

}elseif(permissions==2){

}elseif(permissions==3){

}else{

}

 

I'd say that if the syntax was correct, your script would always end up at the final

 

else {
echo "Wrong Username or Password!";

 

because the query doesn't make any sense.  Try

 

var_dump(mysqli_fetch_array($result, MYSQLI_ASSOC));

 

because I think that's where the data potentially is.  declaring:

 

$user = mysqli_fetch_array($result, MYSQLI_ASSOC));
$permissions = $user['permissions'];

if($permissions==...

 

will get you there.  Check out php's mysqli section and let me know if you want some custom functions for php mysqli, cos they make everything easier

 

---

P.S. redirect using

header("Location: some_destination.html");

but make sure to check the user's permissions on arriving at the page also!  Otherwise those with lower permissions will only need to type in the address of the destination to get there anyway.  You may need to generate a random number and store it in a cookie so that PHP can tell who the user is from the cookie generated from login, and redirect them to the login page if they don't have one

[dessolator]

Hi, thanks very much for your replies much appreciated.

 

I have taken a combination of the 2 replies and managed to sucessfully redirect the user to the corresponding page for their usergroup i.e. login_sucess1.php (admin), login_sucess2.php (staff) and login_sucess3.php (students). I was wondering what syntax I would use to restrict the users access to the page so only permissons level 1, 2 or 3 can access it. This is what I am using for the username to check if a session is registered:

 

<?php
session_start();
if(!session_is_registered(myusername)){
header("location:main_login.php");
}
?>

 

I think the code for allowing access to only level 1 users would be something like this:

<<?php
session_start();
if (isset($_SESSION['3'])){
echo "Do something";
}
else{
header("location:main_login.php");
}
?>

 

But the code didn't work and just redirected everyone to the mainlogin.php page.

 

 

 

My new login.php code is below, I would really appreciate it if you could take a look through and advise me. Btw I'd rather use mysql atm and not mysqlli as i'm new and I'd rather learn 1 in detail 1st.

 

<?php
ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password="abc123"; // Mysql password
$db_name="games_db1"; // Database name
$tbl_name="members"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=md5($_POST['mypassword']);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
$row = mysql_fetch_array($result);
echo $row[3]; 
if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
if ($row[3] == 1){ //row3 = permissions 
$permissions = $user['permissions'];
session_register("admin");
header("location:login_success.php?username1=$myusername");
}
else if ($row[3] == 2){ //row3 = permissions 
$permissions = $user['permissions'];
session_register("staff");
header("location:login_success2.php?username1=$myusername");
}
else if ($row[3] == 3){ //row3 = permissions found in db table 
$permissions = $user['permissions'];
session_register("pupil");
header("location:login_success3.php?username1=$myusername");
}
else{
echo "Permissions don't exist for this user";
exit();
}
}

else {
echo "Wrong Username or Password!";
echo "<br>";
echo "Redirecting to the homepage in 5 seconds.";
echo "<html><head></html>";
echo '<html><meta http-equiv="refresh" content="5; URL=index.php"></html>';
echo "<html></head></html>";
}

ob_end_flush();
?>

 

 

Thanks in advance,

 

Ian

[dessolator]

Oh yh, forgot to say that I am running php 5 and mysql 4.

 

Thanks,

 

Ian