I am trying to make a login script for admins and users and I don't want users to be able to access any of the admin pages and at the moment I don't want admins to be able to access users pages either. I have tried to figure out a way, since I haven't found any good explations on the internet that I can understand, since english isn't my native language.
I have done a script that is close to what I want, but there are some issues. I also think that there is a much better way than mine, because I have only used logic (well, my logic anyway
Here is what I have done:
Mysql
A database "dbdatabase" and a table "users" with these fields: id, username, password och usertype. In the field usertype I put in either "admin" or "user" without the quotes.
index.php
A loginform that calls for login.php in the action-attribute.
[inline]
<form method="post" action="login.php">
<h4>Logga in</h4>
Användarnamn:<br> <input type="text" name="username"><br>
Lösenord: <br><input type="password" name="password"><br>
<input type="submit" name="submit" value="Logga in!"><br>
</form>
[/inline]
login.php
Code: Select all
<?php
if (isset($_POST['submit'])){
mysql_connect('dbhost', 'dbuser', 'dbpass') or die(mysql_error());
mysql_select_db('dbdatabase') or die(mysql_error());
$username = $_POST['username'];
$password = $_POST['password'];
$password = md5($password);
$isAdmin = mysql_query("SELECT username FROM users WHERE username='$username' AND password='$password' AND usertype = 'admin'");
$loginAdmin = mysql_num_rows($isAdmin);
$isUser = mysql_query("SELECT username FROM users WHERE username='$username' AND password='$password' AND usertype = 'user'");
$loginUser = mysql_num_rows($isUser);
if($loginAdmin == 1){
session_start();
$_SESSION['username'] = $username;
header("Location: admin/index.php");
}
else if($loginUser == 1){
session_start();
$_SESSION['username'] = $username;
header("Location: user/index.php");
}
else if($login == 0){
header("Location: index.php"); //How can I write an error message at the top of the form?
}
}
?>
Code: Select all
<?php
session_start();
$lia = $_SESSION['username'];
mysql_connect('dbhost', 'dbuser', 'dbpass') or die(mysql_error());
mysql_select_db('dbdatabase') or die(mysql_error());
$checkAdmin = mysql_query("SELECT username FROM users WHERE username='$lia' AND usertype = 'admin'");
$sessionAdmin = mysql_num_rows($checkAdmin);
if($_SESSION['username'] == ''){
die("<a href='../?p=index'>Logga in först</a>");
}
else if($sessionAdmin == 'admin'){
die("<a href='../?p=index'>Logga in som admin först</a>");
}
?>
Code: Select all
<?php
session_start();
$lia = $_SESSION['username'];
mysql_connect('dbhost', 'dbuser', 'dbpass') or die(mysql_error());
mysql_select_db('dbdatabase') or die(mysql_error());
$checkUser = mysql_query("SELECT username FROM users WHERE username='$lia' AND usertype = user'");
$sessionUser = mysql_num_rows($checkUser);
if($_SESSION['username'] == ''){
die("<a href='../?p=index'>Logga in först</a>");
}
else if($sessionUser == 'user'){
die("<a href='../?p=index'>Logga in först</a>");
}
?>
In admin/index.php I have a couple of div tags, "header", "leftmenu" with links and "content" where the links will be shown. I don't know if this is necessary, but here is the code that resides in the content box:
Code: Select all
<?php
if(file_exists($_GET['p'].".php")){
include($_GET['p'].".php");
}
else{
if(empty($_GET['p']) OR $_GET['p'] == ""){
include("profil.php");
}
else{
include("404.php");
}
}
?>
There is another thing that confuses me and is the main reason why I don't understand my own code. This part in admin/index.php:
Code: Select all
else if($sessionAdmin == 'admin'){
die("<a href='../?p=index'>Logga in som admin först</a>");
}
Finally when I press logout when I am logged in as admin I won't be logged out. I have to press the link twice in a sequence. The issue only happens when I am logged in as admin and not for users. I only use session_start(); and session_destroy(); in logout.php.
I know there are a lot of questions here and maybe I can't get an answer to them all, but thanks in advance!
Suzanne