PHP Access Level Control ( Permissions) Help
Posted: Thu Dec 09, 2010 2:12 am
Hi everyone, am developing an application that has two views 1 for administrator and 1 for staff. Administrator can perform all application tasks and Staff can ONLY perform certain task. I have implemented sessions quite alright and are working. Now the problem is that when I login as Staff and then I change the URL to point to an administrator's page the application is allowing that, How can I prevent that from happening. Staff MUST NOT see administrators pages. Here is my login code, logout code and code am using to protect webpages below.
Here is my login code
Here is my login out code
Here is code I am using to protect pages
<?php
//start the session
session_start();
//check to make sure the session variable is registered
if(!isset($_SESSION['valid_user'])){
//redirect to login page
header( "Location: index.php" );
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title> | Main Menu</title>
<link rel="stylesheet" type="text/css" href="css.css" />
</head>
<body>
<div id="tabsF">
<ul>
<!-- CSS Tabs -->
<li id="current"><a href="main_menu.php"><span>MAIN MENU</span></a></li>
<li><a href="stockmaster.php"><span>STOCK MASTER</span></a></li>
<li><a href="controlpanel.php"><span>CONTROL PANEL</span></a></li>
<li><a href="logout.php"><span>LOGOUT</span></a></li>
</ul>
</div>
</body>
</html>
Thank you.
Here is my login code
Code: Select all
<?php
//start the session
session_start();
$username=$_POST['username'];
$password=$_POST['password'];
$encrypted=md5($password);
// set connection to database
$hostname="localhost"; // Host name
$mysql_server_username="root"; // Mysql username
$server_password=""; // Mysql password
$db_name="db_inventory"; // Database name
$table = "tbl_users"; // Table name
// Connect to server and select database.
mysql_connect("$hostname", "$mysql_server_username", "$server_password")or die("cannot connect to database server");
mysql_select_db("$db_name") or die ("Couldn't select the database.");
$admin=("select * from $table where username='$username' AND password='$encrypted' AND type = 'admin'");
$staff=("select * from $table where username='$username' AND password='$encrypted' AND type = 'staff'");
//check that at least one row was returned
$adminresult=mysql_query($admin);
$admincount = mysql_num_rows($adminresult);
$staffresult=mysql_query($staff);
$staffcount = mysql_num_rows($staffresult);
if($admincount> 0){
$_SESSION['valid_user'] = $username ;
header( "Location: main_menu.php" );
}
else if($staffcount> 0){
$_SESSION['valid_user'] = $username ;
header( "Location: staff/main_menu.php" );
}
else
{
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>title> | Login</title>
</head>
<body bgcolor="#FFFFFF" background-repeat:no-repeat; background="images/images1.jpg">
<div align="center">
<table width="800" height="501" border="0" cellpadding="1" cellspacing="1">
<tr>
<td height="100"> </td>
</tr>
<tr>
<td height="350">
<div align="center">
<form method="post" action="login_process.php">
<h4 align="center"><font color="red">Incorrect Username / Password ! Please Try Again</font></h4>
<img name="" src=images/padlock_closed.gif width="34" height="32" alt="" /><br /><br />
<table width="314" border="0" cellspacing="1" cellpadding="1">
<tr>
<td>Username:</td>
<td><label>
<input type="text" name="username" />
</label></td>
</tr>
<tr>
<td>Password:</td>
<td><label>
<input type="password" name="password" />
</label></td>
</tr>
<tr>
<td colspan="2">
<p>
<input type="submit" name ="submit" value="Login" /> <input type="reset" value="Reset" />
</p>
</td>
</tr>
</table>
</form>
</div>
</td>
</tr>
<tr>
<td height="100"> </td>
</tr>
</table>
</div>
</body>
</html>
<?php
}
?> Here is my login out code
Code: Select all
<?php
//start the session
session_start();
//check to make sure the session variable is registered
if(isset($_SESSION['valid_user'])){
//session variable is registered, the user is ready to logout
session_unset();
session_destroy();
//the session variable isn't registered, the user shouldn't even be on this page
header( "Location: index.php" );
}
else
{
//check to see if the session variable is not registered
if(!isset($_SESSION['valid_user'])){
//redirect to login page
header( "Location: index.php" );
}
}
?>Here is code I am using to protect pages
<?php
//start the session
session_start();
//check to make sure the session variable is registered
if(!isset($_SESSION['valid_user'])){
//redirect to login page
header( "Location: index.php" );
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title> | Main Menu</title>
<link rel="stylesheet" type="text/css" href="css.css" />
</head>
<body>
<div id="tabsF">
<ul>
<!-- CSS Tabs -->
<li id="current"><a href="main_menu.php"><span>MAIN MENU</span></a></li>
<li><a href="stockmaster.php"><span>STOCK MASTER</span></a></li>
<li><a href="controlpanel.php"><span>CONTROL PANEL</span></a></li>
<li><a href="logout.php"><span>LOGOUT</span></a></li>
</ul>
</div>
</body>
</html>
Thank you.