Redirect to login with dynamic URL doesn't work

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
ankungen
Forum Newbie
Posts: 4
Joined: Wed Dec 14, 2011 3:24 am

Redirect to login with dynamic URL doesn't work

Post by ankungen »

Redirect to login with dynamic URL (?p=) doesn't work

I have two webpages that I want to be accessible only when the user is logged in. One for admin and one for other users. When a user who isn't logged in arrive to these pages I want to redirect the page to login.php. This doesn't work with the website I am working on.

I use this script on the startpage:

<?php
if(file_exists($_GET['p'].".php")){
include($_GET['p'].".php");
}

else{
if(empty($_GET['p']) OR $_GET['p'] == ""){
include("main.php");
}

else{
include("404.php");
}
}
?>

and therefore my links have this format: ?p=mapp/filnamn and it doesn't work with header('Location: /?p=admin/login');

If I skip this script and use ordinary links header('Location: /admin/login.php'); it works, but I don't want to be forced to copy the same code over and over again to get header, footer, leftbar and rightbar on every single page.

I have almost teared my brain apart to find a solution but in vain. Today I have been sitting in front of the computer almost the whole day with this problem, but no luck. I don't even know what to search for. What is it I don't understand? Not long time ago I hade another problem just because I use dynamic links.

This is the script I use on the page that I don't want to be accessible if you aren't logged in:

Code: Select all

<?php 
	session_start();
	$username = $_SESSION['username'];

	include ('functions.php');
	db_connect();

	if(!empty($_SESSION['username'])){
		$sql = mysql_query("SELECT username, usertype FROM users WHERE username='$username'");
		$result = mysql_num_rows($sql);
		$row = mysql_fetch_array($sql);
		
		if($_SESSION['username'] = $username AND $row['usertype']==1){
			$_SESSION['username'] = $username;
			$user_welcome = "Welcome ".$username;
		}
		
		else{
			//header('Location: /?p=admin/login');
			die("<a href='?p=admin/login'>You have to login as admin to access this page!</a>");
		}
	}
	
	else{
		//header('Location: /?p=admin/login');
		die("<a href='?p=admin/login'>You have to login to access this page</a>");
	}
?>
I use "die" because it is the only way for me to make it work, but I want to use what is in the comments. Maybe it's not such a bad idea to use the method I use today, but the problem is that when I get the message that I have to login to view the page, the rightbar disappear and the page therefor looks stupid.

Another question I am wondering about, is if the above script is secure? It doesn't feel like it, but maybe the security is all about the loginpage?
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: Redirect to login with dynamic URL doesn't work

Post by social_experiment »

Directing to a dynamic url should work provided you are providing a page to go to; currently header function tries to redirect to /?p=admin/login which it can't find;
ankungen wrote:but I don't want to be forced to copy the same code over and over again to get header, footer, leftbar and rightbar on every single page.
could you elaborate on this
ankungen wrote:Another question I am wondering about, is if the above script is secure? It doesn't feel like it, but maybe the security is all about the loginpage?
There is no escape (of data) being done on the details you use in the SQL query; even if $_SESSION['username'] is set by you and comes from a 'safe' source, it's good practise to check all data, regardless of who supplies it. No security is not all about the login page; the login page is not even required to submit data to the page that does the processing of the script.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Post Reply