WillJohnson1234 Posted February 20, 2008 Share Posted February 20, 2008 Dear PHP Experts, I am relatively new to PHP/MySQL so I’ll do my best to explain my question. Hopefully it makes sense to you:) I am modifying a simple PHP/MySQL login script where users register with my site giving their name, email address and a choice of three different options from a drop down menu (option select). For example the registration page can be seen here www.willjohnson.ca/febvocalped/register.php Login is at www.willjohnson.ca/febvocalped/index.html (on the left) Everything works perfectly thus far. The connection to the database is perfect and all the fields are correctly deposited into my database. What I’m wondering is if someone can help me with the login page. After a student has registered with my site, the can then navigate back to the index page and log in to my site. This login is successful and it takes the user to a page called ‘private1.php’. A PHP session is started allowing the user to enter these ‘private’ pages. The thing I would like to customize is that depending on the three options when they register, after logging in they are taken to their respective areas. For example: the drop down selection box designates Programs of Study “BMUS, MASTERS or DMA” So when a user enters their login information, a MySQL query is generated to verify the username, and password AND selects this new program field. Upon querying the database successfully, if the users has “BMUS” as a program, that user is directed towards the ‘private1.php’ page. If they had selected “MASTERS”, they would go to ‘private2.php’. If they had selected “DMA”, they would go to ‘private3.php’. My question is: How can I add an additional ‘if statement’ to this function (see code below) to specifically navigate the user to his/her appropriate private page? Semantically (in addition to the user and pass authentication), I think it would be something like: If $program = BMUS, then go to ‘private1.php’ elseif $program = MASTERS, then go to ‘private2.php’ elseif $program =DMA, then go to ‘private3.php’, Else DIE (wrong authentication) (I’m aware the syntax is nowhere even close to this!! It’s only for me to better explain:) I will need to add the ‘program’ field to the select statement so PHP knows to direct the user to the appropriate page. This is the PHP code I have (which works 100%) before adding this new “program” field query: $qry="SELECT member_id FROM members WHERE login='$login' AND passwd='".md5($_POST['password'])."'"; $result=mysql_query($qry); if($result) { if(mysql_num_rows($result)>0) { session_regenerate_id(); $member=mysql_fetch_assoc($result); $_SESSION['SESS_MEMBER_ID']=$member['member_id']; session_write_close(); header("location: private1.php"); exit(); }else { header("location: failed.php"); exit(); } }else { die("Query failed"); } Options for ‘program’ field and their respective page : BMUS = ‘private1.php’ MASTERS =’private2.php’ DMA =’private3.php’ Any suggestions are greatly appreciated. Thank you kindly for your time/expertise. Best, Will Quote Link to comment Share on other sites More sharing options...
Sulman Posted February 20, 2008 Share Posted February 20, 2008 Hi, Try something like this: $qry="SELECT member_id FROM members WHERE login='$login' AND passwd='".md5($_POST['password'])."'"; $result=mysql_query($qry); if($result) { if(mysql_num_rows($result)>0) { session_regenerate_id(); $member=mysql_fetch_assoc($result); $_SESSION['SESS_MEMBER_ID']=$member['member_id']; session_write_close(); //new code switch($member['location']) //location would be a new field in the database. { case "BMUS": header("location: private1.php"); break; case "MASTERS": header("location: private2.php"); break; case "DMA": header("location: private3.php"); break; case default: //ERROR break; } //end new code exit(); }else { header("location: failed.php"); exit(); } }else { die("Query failed"); } You would need a new 'location' field in the database containing the page that the user would have access to. You might also want to put a check at the top of the other pages to ensure that a user can only view their own pages. Quote Link to comment Share on other sites More sharing options...
WillJohnson1234 Posted February 20, 2008 Author Share Posted February 20, 2008 Hi Sulman, Thanks for your help with this. I tried your code and ran into an error at the case default line (line 46). I've also added 'location' to the database and also the SQL query. Here's what I have. I think it might be close! $qry="SELECT member_id, location FROM members WHERE login='$login' AND passwd='".md5($_POST['password'])."'"; $result=mysql_query($qry); //Check whether the query was successful or not if($result) { if(mysql_num_rows($result)>0) { //Login Successful session_regenerate_id(); $member=mysql_fetch_assoc($result); $_SESSION['SESS_MEMBER_ID']=$member['member_id']; session_write_close(); switch ($member['location']) { case "BMUS": header("location: private1.php"); break; case "MASTERS": header("location: private2.php"); break; case "DMA": header("location: private3.php"); break; case default: //ERROR break; } //end new code exit(); }else { //Login failed header("location: failed.php"); exit(); } }else { die("Query failed"); } Any other suggestions? If you have a moment, try registering again to see if it works! Thank you, Will Quote Link to comment Share on other sites More sharing options...
revraz Posted February 20, 2008 Share Posted February 20, 2008 I think the DEFAULT case was designed for you to enter code on what to do in case none of them match, not to use as is. Quote Link to comment Share on other sites More sharing options...
WillJohnson1234 Posted February 20, 2008 Author Share Posted February 20, 2008 Hi, Yes thanks for your point. I just realized what happened! In fact, it was a simple syntax error (I've discovered). The 'Default' case doesn't need "case" after it. I modified the case statement and now it works! But can I ask another question? How can I ensure these specific users CANNOT go to the other private pages? Right now a PHP/MySQL session is created which gives them access to any of the the three private pages. How can I specify that they are only allowed to go to their respective area. For example, if I successfully log in and change the page in the URL bar (from private1.php to private2.php), it allows me to see that area. Is there a way I can restrict this access? Thank you for your patience. Will Quote Link to comment Share on other sites More sharing options...
Sulman Posted February 20, 2008 Share Posted February 20, 2008 yes sorry, my bad. case isn't needed for default. To ensure a user can only access their own page you could set a session var when they login then check that var on each page. If their not allowed to see it then kick them out: [] <?php switch ($member['location']) { case "BMUS": header("location: private1.php"); $_SESSION['page_allowed']="private1.php"; break; case "MASTERS": header("location: private2.php"); $_SESSION['page_allowed']="private2.php"; break; case "DMA": header("location: private3.php"); $_SESSION['page_allowed']="private3.php"; break; default: //ERROR break; } ?> Then on each page you have the check: <?php //This check is for the top of private1.php ( change for each page) if($_SESSION['page_allowed']!="private1.php") { header('location: '.$_SESSION['page_allowed']); } ?> This is just an example based on your existing code and there are better ways to be checking Quote Link to comment Share on other sites More sharing options...
WillJohnson1234 Posted February 21, 2008 Author Share Posted February 21, 2008 Hi Sulman, Thanks a lot for your help. Everything is almost where it needs to be for me; I appreciate your help! One bit of code I forgot to mention is that on all of the "private" pages before I started designating specific areas for each of the programs, I have an authorization script which starts/checks to make sure the initiated session is valid. This is what I have on each of the private pages: <?php require_once('authorization.php'); ?> And the code that's in that script is: <?php //Starts session for private page browsing session_start(); //Check if the session variable (called SESS_MEMBER_ID is there) if(!isset($_SESSION['SESS_MEMBER_ID']) || (trim($_SESSION['SESS_MEMBER_ID'])=='')) { header("location: denied.php"); exit(); } ?> Note that the denied.php location is where unauthorized users go. Is this the best approach? As I said in an earlier post, it totally works! But it was designed thinking there was only ONE secure area not three. Now that I have these three secure areas, how can I utilize your last bit of code for area authentication? I should have mentioned this bit of code before I asked <?php if($_SESSION['page_allowed']!="private1.php") { header('location: '.$_SESSION['page_allowed']); } ?> Thanks again, Sulman! Best, W Quote Link to comment Share on other sites More sharing options...
Sulman Posted February 21, 2008 Share Posted February 21, 2008 Hi, The script I wrote does pretty much the same thing and yours will work just fine. So if all is working then I would leave it as is! Quote Link to comment Share on other sites More sharing options...
WillJohnson1234 Posted February 21, 2008 Author Share Posted February 21, 2008 Hey Sulman, Unfortunately it doesn't work at the moment. The login works, and the user is directed to their correct page but if I comment out the 'authorization.php' script, anyone can access any of the pages without even logging in. If you have a moment, check it out. Instead of getting rid of the 'authentication.php' script, is there a way I can concatenate a new string to the current authentication.php script so "PHP" verifies a session has started, a session_member_ID does not equal zero, AND a user can only access their respective registered pages? As I said, right now anyone can access any of the private pages regardless of whether they've logged in. The script on each of the private pages works at the moment. Thanks for your help, Sulman. Best, Will Quote Link to comment Share on other sites More sharing options...
Sulman Posted February 21, 2008 Share Posted February 21, 2008 What's the error? Is the authorization script not sending people to denied.php? If not what is happening? Quote Link to comment Share on other sites More sharing options...
WillJohnson1234 Posted February 21, 2008 Author Share Posted February 21, 2008 Right now I have commented out the authentication.php script (on each of the Private1.php, private2.php and private3.php pages). Instead of that script (the require once of authorization.php), I have put the code you suggested there instead: <?php //This check is for the top of private1.php ( change for each page) if($_SESSION['page_allowed']!="private1.php") { header('location: '.$_SESSION['page_allowed']); } ?> But now when users login, it only refreshes the index.html page. If I comment out your code, and use the authorization.php script (as a require_once function on each of those private pages), the user is correctly sent to their respective page. However, once they are on that page, they can simply access the other 'secure' pages by typing a new private.php page in the url bar, thus making it un-secure. So I'm not sure if I can simply add a line to my authorization.php script and simply keep the "require_once" PHP function at the top of each of the pages. All I need to do is have three private secure areas that can only be accessed by those users based on which option they select. Will that work? You can see the authorization.php script in this thread. Thanks again, Will Quote Link to comment Share on other sites More sharing options...
Sulman Posted February 21, 2008 Share Posted February 21, 2008 Hi So I'm not sure if I can simply add a line to my authorization.php script and simply keep the "require_once" PHP function at the top of each of the pages. Yes that is the way forward. Quote Link to comment Share on other sites More sharing options...
WillJohnson1234 Posted February 21, 2008 Author Share Posted February 21, 2008 Okay, so I think I'm almost there... I have concatenated another string in the authorization.php script by adding this line. <?php session_start(); if(!isset($_SESSION['SESS_MEMBER_ID']) || (trim($_SESSION['SESS_MEMBER_ID'])=='') || ($_SESSION['page_allowed']!="private2.php") ) { header("location: denied.php"); exit(); } ?> I'm unsure of my syntax though... Because right now it just goes straight to denied.php. Also, do I have to have three separate authorization scripts? (one for each of the areas) OR can it be written using the case variables like we've done on registration page? Thanks for your help, W Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.