Page 1 of 2

creating an admin page with an existing login script

Posted: Thu Dec 15, 2011 10:33 pm
by geneh18
Hey everyone!

I am creating an admin section to a website so the administrator can post, update and delete blog posts and comments. However, I am having trouble figuring out how to do this. I want to simply add some code to a previous log in script I had created in php and simply write an admin script to identify the session value of the admin and redirect them to the admin page and the users who log in who do not have to admin capability, to simply view the page as a user.

here is the login script labeled:
checkuser.php

Code: Select all

<?php
session_start();

$host="************"; // Host name 
$username="*******"; // Mysql username 
$password="************"; // Mysql password 
$db_name="*********"; // Database name 
$tbl_name="*******"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form 
$username=$_POST['username']; 
$password=$_POST['password'];

// To protect MySQL injection 
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

$sql="SELECT * FROM users WHERE username='$username' AND password='$password' AND activated='0'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==0){
// Register $myusername, $mypassword and redirect to file "login_success.php"
$_SESSION['username'] = $username;
$_SESSION['password'] = $password;
header("location: user-area.php");
}
else {
echo "Wrong Username or Password";
}
?>
and here the admin.php:

Code: Select all

<?php

$host="********"; //host name
$username="********"; //Mysql username
$password="***********"; //Mysql password
$db_name="**********"; //Database name
$tbl_name="********"; //Table name

mysql_connect("$host", "$username", "$password") or die("Cannot connect!");
mysql_select_db("$db_name") or die("Cannot connect to db!");

$get = mysql_query("SELECT * FROM users WHERE username='$username'");
while($row = mysql_fetch_assoc($get)) 
{
	$admin = $row['user_level'];
}

if ($admin == 0) {
	echo "This is not an admin page";
	exit();
}
if ($admin == 1) {
	echo "This is an admin page";
	exit();
}
?>
I hope this helps!! Thanks!!

Re: creating an admin page with an existing login script

Posted: Fri Dec 16, 2011 1:47 am
by social_experiment

Code: Select all

<?php
if ($admin == 0) {
        echo "This is not an admin page";
        exit();
}
if ($admin == 1) {
        echo "This is an admin page";
        exit();
}
?>
You need to regenerate the sessions before redirecting the individual users; replace the echo statements with header('location: desiredPage.php') and it should redirect the users as required. This should probably be on the same page as your initial logging, so you can check there and redirect in one motion.

Hth

Re: creating an admin page with an existing login script

Posted: Fri Dec 16, 2011 11:49 pm
by geneh18
I see your point. I put the session_start(); however, there is an error that states

"Notice: Undefined variable: username in C:\Program Files (x86)\EasyPHP-5.3.8.1\www\Sample\admin.php on line 9

Notice: Undefined variable: admin in C:\Program Files (x86)\EasyPHP-5.3.8.1\www\Sample\admin.php on line 15
This is not an admin page"

why am I getting the error undefined username when it is the same as it reads in the database as well as in the form on the login page?

How is the admin, not defined..it clearly is..or unless I'm missing something quite obvious..

Re: creating an admin page with an existing login script

Posted: Sat Dec 17, 2011 3:15 am
by social_experiment
http://tycoontalk.freelancer.com/php-fo ... error.html
This url explains a bit more about the undefined variable error;

Code: Select all

<?php
$host="********"; //host name
$username="********"; //Mysql username
$password="***********"; //Mysql password
$db_name="**********"; //Database name
$tbl_name="********"; //Table name

mysql_connect("$host", "$username", "$password") or die("Cannot connect!");
mysql_select_db("$db_name") or die("Cannot connect to db!");

$get = mysql_query("SELECT * FROM users WHERE username='$username'")
?>
Just one question; you use the $username value you use within the query, where do you find that value? At the moment it looks like you are using the same value as the mysql username

Re: creating an admin page with an existing login script

Posted: Sat Dec 17, 2011 2:28 pm
by geneh18
i find that value in the login.php file where the name=username in the input field for username for the login.php

Re: creating an admin page with an existing login script

Posted: Sun Dec 18, 2011 2:14 am
by social_experiment
You could move the database connection to a separate page an include it and for clarity's sake change the one of the password variable names, maybe to $dbUsername

Re: creating an admin page with an existing login script

Posted: Sun Dec 18, 2011 3:44 pm
by geneh18
I did both as you suggested @socal_experiment and when I submit the form again, it shows up with a blank page and the page goes to checkuser.php

Re: creating an admin page with an existing login script

Posted: Mon Dec 19, 2011 12:52 am
by social_experiment
Can you paste the new code

Re: creating an admin page with an existing login script

Posted: Mon Dec 19, 2011 1:15 am
by geneh18
here is the checkuser.php

Code: Select all

<?php
session_start();
include('config.php');

// username and password sent from form 
$username = stripslashes($_POST['username']); 
$password = stripslashes($_POST['password']);

$sql = mysql_query("SELECT * FROM users WHERE username='".mysql_real_escape_string($username)."' AND password='".mysql_real_escape_string($password)."' AND activated = 0");

die(mysql_error());


$numrows = mysql_num_rows($sql);
$query = mysql_fetch_array($sql);

if ($numrows > 0) 
{
      
   $_SESSION['username'] = $username;
   $_SESSION['password'] = $password;
   
   echo 'You are logged in as '.$_SESSION['username'].' Click <a href="logout.php">here</a> to log out!';
}
else
{
      if ($username!=$query['username']) 
      {
         echo 'Incorrect username';
      }
      elseif ($password!=$query['password']) 
      {
         echo 'Incorrect password';
      }
      else 
      {
         echo 'Incorrect username and passord!';
      }
}

?>
and here is the config.php

Code: Select all

<?php

$db_host="******"; // Host name 
$db_username="*******"; // Mysql username 
$db_password="*********"; // Mysql password 
$db_name="*********"; // Database name 

// Connect to server and select databse.
mysql_connect("$db_host", "$db_username", "$db_password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");


?>

Re: creating an admin page with an existing login script

Posted: Mon Dec 19, 2011 1:35 am
by social_experiment

Code: Select all

<?php
$sql = mysql_query("SELECT * FROM users WHERE username='".mysql_real_escape_string($username)."' AND password='".mysql_real_escape_string($password)."' AND activated = 0");
die(mysql_error());
// change to
$sql = mysql_query("SELECT * FROM users WHERE username='".mysql_real_escape_string($username)."' AND password='".mysql_real_escape_string($password)."' AND activated = 0") or die(mysql_error());
?>
It is probably the call to die() that's causing the blank page

Re: creating an admin page with an existing login script

Posted: Mon Dec 19, 2011 1:57 am
by geneh18
that did fix the blank page issue however, I am still back to the incorrect username issue..which I know I put the correct username as it says in the database...

Re: creating an admin page with an existing login script

Posted: Mon Dec 19, 2011 3:32 am
by social_experiment

Code: Select all

<?php
if ($username!=$query['username']) 
      {
         echo 'Incorrect username';
      }
?>
Are you referring to this section of the code? Print out $username and $query['username'] to see what information they contain

Re: creating an admin page with an existing login script

Posted: Mon Dec 19, 2011 4:01 pm
by geneh18
now the check user just shows with a black page..even when I printed out $username..

Re: creating an admin page with an existing login script

Posted: Mon Dec 19, 2011 4:25 pm
by social_experiment
geneh18 wrote:now the check user just shows with a black page..even when I printed out $username..
From the results you report back $username contains no information; what does the code for the submission form look like?

Re: creating an admin page with an existing login script

Posted: Mon Dec 19, 2011 10:39 pm
by geneh18
Ok, I got the checkuser.php to work however I have an issue with the admin script
admin.php

Code: Select all

<?php

$user = $_SESSION['username'];

//connect to db
$connect = mysql_connect('127.0.0.1','root','');
mysql_select_db('member');

$get = mysql_query("SELECT * FROM `users` WHERE user_level='1' AND user_level='0'");
while($row = mysql_fetch_assoc($get)) 
{
	$admin = $row['user_level'];
}

if ($admin == 0) {
	echo "<a href='login.php'>Log in</a> | <a href='logout.php'>Log out</a>
		  <h1>This is not an admin page</h1>";
	exit();
}
if ($admin == 1) {
	echo "<a href='login.php'>Log in</a> | <a href='logout.php'>Log out</a>
		  <h1>This is an admin page<h1>";
	exit();
}
?>
the error that shows in the admin.php is this: "Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in C:\Program Files (x86)\EasyPHP-5.3.8.1\www\Sample\admin-page.php on line 18"