Page 1 of 1
Login / Access Levels
Posted: Thu Nov 18, 2004 8:52 am
by PHPMan
I was wondering, Im setting up a login and there are two levels of access to the website, level one, and level two.
Level Two gets all the links level one has plus more, and level one only gets a certain few links.
For the login when people enter their id & password, i want the php script to check the database to check and see if the user is either authorized to get into level one, or level two. If
I login, and Im on authorized for level one, then I get level one access.
If I login, and Im authorized for level two, then I get level two access...
I was going to make the table like this:
id | paassword | access
Under access it will either be a : 1 or 2
Now, Im going to look through the forum to see if anyone has posted anything similar to this, but Im not sure what command to put into the script to ask the database this?
Thanks
Posted: Thu Nov 18, 2004 9:09 am
by kettle_drum
Well you are doing the right thing. When you check the username/password from the database you can just call for the access level too and then place that into a var if the login is successful.
Code: Select all
SELECT * FROM table WHERE id = 'username';
Login Script :)
Posted: Thu Nov 18, 2004 9:27 am
by AnarKy
Login Script
Hello,
You may also need to store the login details in session variables.
Do that if you need to check the user status/level on most pages.
I would do something like this on the login page,
then check the user status / level on other pages that are accessed.
Code: Select all
<?php session_start();?>
<?php include ("db.php") ?>
<?php
if (@$_POST["submit"] <> "") { // check if logged in already
$validpwd = False;
// setup variables
$userid = @$_POST["userid"];
$userid = (get_magic_quotes_gpc()) ? stripslashes($userid) : $userid;
$passwd = @$_POST["passwd"];
$passwd = (get_magic_quotes_gpc()) ? stripslashes($passwd) : $passwd;
if (!$validpwd) {
$conn = mysql_connect(HOST, USER, PASS);
mysql_select_db(DB);
$rs = mysql_query("SELECT * FROM `users` WHERE `USERNAME` = '" . $userid . "'") or die(mysql_error());
if ($row = mysql_fetch_array($rs)) {
if (strtoupper($row["PASSWORD"]) == strtoupper($passwd)) {
$_SESSION["status_User"] = $row["USERNAME"];
$_SESSION["status_UserID"] = $row["USERNAME"];
$_SESSION["status_UserLevel"] = $row["LEVEL"];
$validpwd = True;
}
}
mysql_free_result($rs);
mysql_close($conn);
}
if ($validpwd) {
$_SESSION["status"] = "login";
header("Location: index.php"); // default page is index.php
}
} else {
$validpwd = True;
}
?>
"db.php" simply defines HOST, USER, PASS for the database.
Remember to check if the user is logged in on every page,
if they are not,
then redirect them to the login page.
When the login is successful, the user ends up on "index.php"
Assumed mySQL
Posted: Thu Nov 18, 2004 9:31 am
by AnarKy
Oh, Sorry....
I assumed you were using mySQL.
If you are not, im sure the php manual has the equivalent syntax and stuff for your DB.
Hope the script helps.
PHP
Posted: Fri Nov 19, 2004 5:44 pm
by PHPMan
Iam using MySQL.
I like the script that was previously posted, seems like it'd work well...
What I was thinking was simply, having just three rows in the table:
And when a user registers, they automatically get Level One Access once they click their link on their validation email...
Level Two Access only comes by user's logging into the
'Admin Area' and 'adding a user' to the section that has
Level Two Security Access'
The three rows would be | Username | Password | Access
and in access, it will either
have one or two, and the php script will check the access level
if 1 (then they get redirected too /admin/index.php
if level 2, (they get redirected too /members/index.php
So the previous script posted I think will work, if we add some stuff to it..
If I add-in a script where to send the people with level 2, and where to send the people with level one.
What do you guys think
Posted: Tue Dec 28, 2004 12:34 am
by crouse
I think that the benefit of having two sets of the same web site, one user and the other admin, really depends on how much you are using PHP to generate those sites. If you are using just HTML to create the sites and only having PHP do form processing or other backend work then having two sets of the same sites is necessary.
However, if you are using PHP to generate the majority of the site then you can script only one site and use conditional statements to control access to certain areas. However, this does not work if the admin site, not just admin areas, is drastically different from the regular user site. If you have three links that are available to all users and one that is only accessible to administrators, or level 2 access, then place a conditional statement around the block of code that generate the HTML. This also works if you wrap entire HTML blocks in conditional statements. This method restricts access to the links that users have permission to visit. However, one concern is backdooring admin areas. An example of how to deal with this is at the beginning of the page check the users access and if permission is insufficient then redirect back to the main page.
I use this method when restricting access to areas of my applications. If a user can’t click a button or menu item then they can’t gain access to that part of my applications. However, I don’t have to problem of someone finding a back door, such as cached URLs, in my applications. Using the check on all restricted pages allows for a programmer to avoid users from exploiting that issue.
Chris
Re: Login / Access Levels
Posted: Tue Dec 28, 2004 6:46 am
by McGruff
PHPMan wrote:I was going to make the table like this:
id | paassword | access
Under access it will either be a : 1 or 2
This gives you a simple system with cumulative, hierarchical privileges and bits of code like this scattered throughout the app:
Code: Select all
if($user_level > 1)
{
// authorised to do something
}
However, if your needs become more complex, this will quickly break down. Suppose you had a bunch of pay-to-view articles, or you want to grant some of the privileges of level 2 to a user at level 1 but not for other users at level 1. An alternative could be to have a bunch of related database tables which map individual privileges to individual users.
If your code resembles the above snippet at all, specific privileges (show admin edit button, view admin management page etc) are being mapped to integer levels throughout the scripts rather than in some kind of central configuration (such as a db). In anything but a very simple app, this makes it difficult to keep track of what level has what privileges and difficult to edit the mapping when you have to change them. Some kind of central configuration makes life easier. An ini file which lists the privileges associated with each level might be another option to a db.
If the "is authorised" call is wrapped in a function you can hide the authorisation implementation. This makes it easy to upgrade the authorisation system with one quick function edit.
Code: Select all
if(hasPrivilege($uid, 'foo'))
{
// a user with id $uid has the "foo" privilege
}
The hasPrivilege() function can use simple integer levels if that's all you really need (get the user's level, check if the "foo" privilege is listed in the central configuration file for that level, return true/false).
Or, if your app outgrows simple integer levels, you could simply change the function to, say, perform a complex JOIN query with a series of related database tables linking users, user groups, privileges, and privilege groups. You'll probably want to store user privileges in session once you've got them, to save repeated db calls.
Actually I'd be doing all this in OOP but it's the same general idea.
Posted: Tue Dec 28, 2004 1:10 pm
by crouse
This is a great suggestion. It is always good to create functions do wrap common functionality. An idea to expand on your OO permission design is to create a permission class that is a cache of user permissions. This can be designed several ways.
However, the basic idea is that if you are going to use multiple "named" permissions and not just levels that on login all the permissions are downloaded into an object. The application uses that object to determine if a person has that permission. An example method for this hasPermission, or hasPrivilege, which takes in parameters that define the permission.
If you make an object of this permission class a member of your user then you don't have to maintain a seperate object in your session. Because the object is a member of the user class then you already have your user reference and you don't have to worry about, much, about keeping track of a seperate user.
Hope this helped,
Chris