Page 2 of 2

Posted: Tue Jul 20, 2004 12:37 am
by feyd
unless all users that are logged in are admins, I'd add some other stuff to that if :)

Posted: Tue Jul 20, 2004 12:42 am
by C_Calav
unless all users that are logged in are admins, I'd add some other stuff to that if....
...if?

Posted: Tue Jul 20, 2004 12:43 am
by feyd

Code: Select all

if (!isset($_SESSION["loggedin"]))

Posted: Tue Jul 20, 2004 12:45 am
by C_Calav
thanx for all your help feyd much appreciated wont make those mistakes again 8)

Posted: Tue Jul 20, 2004 1:28 am
by C_Calav
ahhhh! trying to make each admin page secure but can still get to it from just typing the path in.

is that because my session is still running? ie. havent logged out?

i am putting this code at the top of each admin page:

Code: Select all

<?php
session_start(); 
if (!isset($_SESSION["loggedin"])) 
{ 
exit("Hacking Attempt!"); 
} 

echo "Welcome to the Admin Section, ".$_SESSION["username"]; 
?>
then my html...

<html>
<head>
etc.

is this correct?

Posted: Tue Jul 20, 2004 2:13 am
by feyd
If you hadn't logged out, yes, that would be it.

Posted: Tue Jul 20, 2004 2:28 am
by C_Calav
thanx, sorry for carrying this on so long with not that hard question :roll:

Posted: Tue Jul 20, 2004 2:29 am
by feyd
I'm sure someone will benefit from the further explainations and things.

Posted: Tue Jul 20, 2004 10:42 am
by John Cartwright
That little snipplet was indended only if the only ppl that can sign in are admins. If you have some sort of access

like

AccessName | Access
Admin | 3
Mod | 2
User | 1
Guest | 0

then you should put on your admin page




admin.php

Code: Select all

<?php

session_start(); 
if (($_SESSION["access"] != 3) && (!empty($_SESSION["access"])))
{ 
exit("Hacking Attempt!"); 
} 

echo "Welcome to the Admin Section, ".$_SESSION["username"]; 


?>

login.php

Code: Select all

<?php
<?php 
session_start(); 

$username = $_POST["username"]; 
$password = $_POST["password"]; 

if(!empty($_POST['submit'])) 
{ 
     $db = mysql_pconnect('***') or die ("Could not connect to database"); 
     mysql_select_db('models') or die ("Could not select database!"); 
     $sql = "select * from user where name = '$username'"; 
     $result = mysql_query($sql, $db) or die ("Execution failed."); 

     while ($row=mysql_fetch_array($result)) 
     { 
        if ($row["password"]== $_POST["password"]) 
        { 
        echo " ('Successfully Logged In!<a href='index.php'>Click Here</a>') "; 
        $_SESSION["name"] = $username; 
        $_SESSION["access"] = $row["access"]; //no long loggedin=set but gets the access var into the session
        } 
      else 
      { 
      echo "wrong password"; 
      } 
  
     } 
} 
?>