Tweaking authorization script for three private page area

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
willj1234
Forum Newbie
Posts: 3
Joined: Fri Feb 22, 2008 8:10 am

Tweaking authorization script for three private page area

Post by willj1234 »

Hello,

I have an issue with an if statement that needs correcting. I can't quite figure it out.

I have a registration page where users can choose between three options. These three options take the users to a different "private" page. This is the relevant login code:

Code: Select all

 
$qry="SELECT member_id, location FROM members WHERE login='$login' AND passwd='".md5($_POST['password'])."'";
    $result=mysql_query($qry);
    //Check whether the query was successful or not 
    if($result) {
        if(mysql_num_rows($result)>0) {
            //Login Successful
            session_regenerate_id();
            $member=mysql_fetch_assoc($result);
            $_SESSION['SESS_MEMBER_ID']=$member['member_id'];
            session_write_close();
            switch ($member['location']) 
            {
                case "private1":
                    header("location: private1.php");
                    break;
                case "private2":
                    header("location: private2.php");
                    break;
                case "private3":
                    header("location: private3.php");
                    break;  
                case default:
                    //ERROR
                    break;
                    
            }
            //end new code
            exit();
            
        }else {
            //Login failed
            header("location: failed.php");
            exit();
        }
    }else {
        die("Query failed");
    }
 
As is, this code works.

The way it works is such that the case system decides which "location" the user picked when they registered, and takes them there after they login.

On each of the private pages, there is a require once function:

Code: Select all

<?php
    require_once('authorization.php');
?>
and that script does:

Code: Select all

<?php
 
//Starts session for private page browsing
 
    session_start();
       
//Check if the session variable (called SESS_MEMBER_ID is there)
 
    if(!isset($_SESSION['SESS_MEMBER_ID']) || (trim($_SESSION['SESS_MEMBER_ID'])=='')) {
        header("location: denied.php");
        exit();
    }
?>
The only problem I'm having is that even if somebody logs in as private1, they can still see the other two private areas (by typing them in the URL bar). Thus making each of the private areas NOT really private.

Back to the case statement, I have since added this

Code: Select all

<?php
switch ($member['location']) 
            {
                case "private1":
                    header("location: private1.php");
                    $_SESSION['page_allowed']="private1.php";
                    break;
                case "private2":
                    header("location: private2.php");
                    $_SESSION['page_allowed']="private2.php";
                    break;
                case "private3":
                    header("location: private3.php");
                    $_SESSION['page_allowed']="private3.php";
                    break;  
                default:
                    //ERROR
                    break;
                    
            }
?>
 
Note the added $_SESSION['page_allowed']="private1.php";

And then consequently added the $_SESSION['page_allowed']!="private2.php"; string to the authorization.php script (changing the private'n' number for the corresponding pages).

Code: Select all

 
if(!isset($_SESSION['SESS_MEMBER_ID']) || (trim($_SESSION['SESS_MEMBER_ID'])=='')) || $_SESSION['page_allowed']!="private1.php";{
        header("location: denied.php");
        exit();
    }
 
This means I have used a different authorization script for each of the three private pages (because I have to explicitly specify whether their allowed page is private1,2 or 3).

But it doesn't work. What happens is the user goes straight to the denied.php page. Have I defined my [page_allowed] variable incorrectly in my case statement?

Althought the authorization script seems to work (and redirect) properly before I added this new [page_allowed] variable, how can I add that 'or' clause to the authorization script so only those users can see their respective allowed areas. I have a feeling I'm missing something basic and I have a feeling it is the $_SESSION['page_allowed'] definition in the case statement.

I would be very grateful if somebody could help tweak this for me!

Thank you,
W
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Tweaking authorization script for three private page area

Post by Christopher »

You need to check whether $_SESSION['page_allowed'] is equal to the current page name and redirect if it is not.
(#10850)
willj1234
Forum Newbie
Posts: 3
Joined: Fri Feb 22, 2008 8:10 am

Re: Tweaking authorization script for three private page area

Post by willj1234 »

You need to check whether $_SESSION['page_allowed'] is equal to the current page name and redirect if it is not.
Can you be a bit more specific? I understand that the $_SESSION needs to be checked, but I'm not sure if it was set correctly in the case statement. Is this correct?

if(!isset($_SESSION['SESS_MEMBER_ID']) || (trim($_SESSION['SESS_MEMBER_ID'])=='')) || $_SESSION['page_allowed']!="private1.php";{
header("location: denied.php");
exit();
}

Because right now it only redirects to denied.php even if the user's allowed page does in fact equal private1.php.


I'm a bit new to PHP so if you could help any further I would be most appreciative.
willj1234
Forum Newbie
Posts: 3
Joined: Fri Feb 22, 2008 8:10 am

Re: Tweaking authorization script for three private page area

Post by willj1234 »

Can anyone suggest how I can "check whether $_SESSION['page_allowed'] is equal to the current page name and redirect if it is not." ? I'm still a bit lost and would appreciate any ideas. Thank you!
jtsandlund
Forum Newbie
Posts: 1
Joined: Wed Mar 05, 2008 12:50 pm

Re: Tweaking authorization script for three private page area

Post by jtsandlund »

Are you messing up your parenthesis? I've had trouble with authentication before, and I'm quite the newbie, but maybe you should try this:

Code: Select all

if( !isset( $_SESSION['SESS_MEMBER_ID'] ) || trim( $_SESSION['SESS_MEMBER_ID'] ) == '' || $_SESSION['page_allowed'] != "private1.php" ) {
header("location: denied.php");
exit();
}
I'm not sure if your 'page_allowed' variable got set either. Can you put that before the header, or does the header always come first? Read the tutorial viewtopic.php?f=28&t=1157 -- that has some information about headers. I think, if the header is the problem, then you may need an ob_start();

Hope that helps...

By the way, the trim($_SESSION['SESS_MEMBER_ID'])=='' , I never had in my authentication. What is that for? Shouldn't !isset($_SESSION['SESS_MEMBER_ID']) do the trick?
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: Tweaking authorization script for three private page area

Post by John Cartwright »

A quick optimization here,

Code: Select all

if( !isset( $_SESSION['SESS_MEMBER_ID'] ) || trim( $_SESSION['SESS_MEMBER_ID'] ) == '' || $_SESSION['page_allowed'] != "private1.php" ) {
with

Code: Select all

if(empty($_SESSION['SESS_MEMBER_ID']) || $_SESSION['SESS_MEMBER_ID'] != "private1.php" ) {
Post Reply