Page 1 of 1

SOLVED | a simple code problem. please help me out.

Posted: Sun Sep 11, 2005 10:57 am
by gothica
feyd | Please use

Code: Select all

and

Code: Select all

tags where approriate when posting code. Read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]


hi! ive been reading some of the topics but i can't seem to find the answers i need so here goes:

it's just a simple login page that will direct an admin user to "admin.html" and an ordinary user to "user.html"

this is part of the  login interface code (index.html)

Code: Select all

<td height="1" width="71%"> 
      <form action="userVer.php" method = POST>
        <fieldset style="padding: 2">
        <legend><b><font face="Lucida Console" color="#0D4F84">user</font></b><font color="#484848" face="Impact" size="4">Login</font></legend>
        <b><font face="Arial" size="2">username :</font></b> <input type="text" name="uName" size="20">
        <br>
        <b><font face="Arial" size="2">password&nbsp; : </font></b> <input type="password" name="pWord" size="20">
        <b><font face="Verdana" size="2" color="#3A4F56">
        <input type = "submit" value = "Login">
        </fieldset></form>
      </td>

this the php code that will verify the type of user (userVer.php)

Code: Select all

<?php

$dbCon = mysql_connect ("localhost","root","123456") ;
$dbUse = mysql_select_db("ordersystem", $dbCon) ;

$username = $_POST["uName"] ;
$password = $_POST["pWord"] ; 

$userQuery = "select * from uProfile where uName = '$username' and uPass = '$password'" ;
$qResult = mysql_query ($userQuery,$dbCon) ;
$searchRows = mysql_num_rows($qResult) ;

if (!$dbCon)
{
    die ("Failed to connect to MySQL!" . mysql_error()) ;
}
else
{
    if (!$dbUse)
    {
        print "Unable to open database!" ;
    }
    else
    {
        if (!$searchRows)
        {
            print "Login Failed : UNAUTHORIZED USER" ;
        }
        else
        {
            if ($username == "admin" && $password == "admin")
            {
               print "Login success : ADMINISTRATOR ACCOUNT" ;
	
                /* insert code here that will redirect user to
                   admin.html */
                
            }
            else if ($username == "user" && $password == "user")
            {
                print "Login success : USER ACCOUNT" ;

                /* insert code here that will redirect user to
                   user.html */

            }
        }
    }
}

mysql_close();

?>

i dont know how to go about this. any help or suggestions for me to work this thing out will be very much appreciated. thank you!


feyd | Please use

Code: Select all

and

Code: Select all

tags where approriate when posting code. Read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]

Posted: Sun Sep 11, 2005 12:41 pm
by josh

Posted: Sun Sep 11, 2005 1:26 pm
by William
Example:

Code: Select all

<?php

$dbCon = mysql_connect ("localhost","root","123456") ;
$dbUse = mysql_select_db("ordersystem", $dbCon) ;

$username = $_POST["uName"] ;
$password = $_POST["pWord"] ;

$userQuery = "select * from uProfile where uName = '$username' and uPass = '$password'" ;
$qResult = mysql_query ($userQuery,$dbCon) ;
$searchRows = mysql_num_rows($qResult) ;

if (!$dbCon)
{
    die ("Failed to connect to MySQL!" . mysql_error()) ;
}
else
{
    if (!$dbUse)
    {
        print "Unable to open database!" ;
    }
    else
    {
        if (!$searchRows)
        {
            print "Login Failed : UNAUTHORIZED USER" ;
        }
        else
        {
            if ($username == "admin" && $password == "admin")
            {
               print "Login success : ADMINISTRATOR ACCOUNT" ;
    
                 header("Location: admin.html");
                
            }
            else if ($username == "user" && $password == "user")
            {
                print "Login success : USER ACCOUNT" ;

                header("Location: user.html");

            }
        }
    }
}

mysql_close();

?>

Posted: Sun Sep 11, 2005 1:38 pm
by John Cartwright
You cannot have any output before sending headers, unless you are using ob_*.
Another thing is that you will need do to is have a session reguarding the user's permission to access the files. So once the user has been logged in set his permission to 1- user permission or 2- admin permission, and once you have redirected the user to his or her appropriate page, check against the session to 1) make sure it exists 2) make sure they have permission to access the page. This will prevent people from directly accessing the pages without properly logging in.

Code: Select all

session_start();

if (!$dbCon)
{
    die ("Failed to connect to MySQL!" . mysql_error()) ;
}
else
{
    if (!$dbUse)
    {
        print "Unable to open database!" ;
    }
    else
    {
        if (!$searchRows)
        {
            print "Login Failed : UNAUTHORIZED USER" ;
        }
        else
        {
            if ($username == "admin" && $password == "admin")
            { 
                 $_SESSION['permission'] = 2;
                 header("Location: admin.php");
                 die();
                
            }
            else if ($username == "user" && $password == "user")
            {
                $_SESSION['permission'] = 1;
                header("Location: user.php");
                die();
            }
        }
    }
}

mysql_close();

?>
Note that I have changed admin.html and user.html to admin.php and user.php to allow for session checking.
On user.php at the top of the page add this code

Code: Select all

session_start();

if (!isset($_SESSION['permission']) || $_SESSION['permission'] != 1) {
   die('Unauthorized Access');
}
same with admin.php but change != 1 to != 2

thank you

Posted: Sun Sep 11, 2005 10:45 pm
by gothica
thanks for the tips! i really appreciate it. sorry about the wrong use of the code tag though :oops: