Page 1 of 1

problem with security

Posted: Mon Nov 12, 2012 11:27 am
by beginner123
i am creating a website that sells products and i have just finished adding a log in function.
So certain pages are only available if you log in but if you enter the url of the page you can see it without logging in.
I know i can solve this problem be adding this code:

Code: Select all

if(isset($_SESSION['signed_in']) != true)
{
	//the user is not signed in
	echo 'Sorry, you have to be <a href="/musicwebsite/signin.php">signed in</a> to view this page.';
}
else
{

//rest of code
}
but my problem is i have mixed php with html so adding the above code is a bit difficult because the page still displays any html code.
is there anyway to solve this or will i have to convert all html code to php?

here is an example of a page with php and html:

Code: Select all

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252" />
<title>Products</title>
<link rel="stylesheet" type="text/css" href="style.css" />
</head>
<body>

<div id="main_container">

	<div id="header">
    <div class="logo">
    <a href="index.php"><img src="images/logo.gif" alt="" title="" border="0" /></a>
    </div>
    
    </div>
    
<?php 

@$db = new mysqli( 'localhost', 'root', "", 'k00127082'); 

if (mysqli_connect_errno()) { 
echo 'error connecting to db'; 
exit; 
} 

$query = "SELECT * from products"; 

$result = $db->query($query);

$num_results = $result->num_rows; 

//echo 'Number of products found : <strong>' . $num_results . '</strong><br><br>'; 

?>      
<div id="userbar">
                <?php
                include 'userbar.php';
                ?>
           </div>
 	      
            
    <div id="main_content">
    
    	<div class="center_content">
        
            <div id="menu_tab">                                     
                   <ul class="menu">                                                                            
                         <li><a href="index.php" class="nav"> home </a></li>
                         
                         <?php 
						
							if(isset($_SESSION['signed_in']) == true && $_SESSION['userLevel'] == 0)
							{ 
								echo "<a class=\"nav\" href=\"/musicwebsite/about.php\">about us</a> 
								<a class=\"nav_selected\" href=\"/musicwebsite/products.php\">products</a> 
								<a class=\"nav\" href=\"/musicwebsite/contact.php\">contact us</a>"; 
							}
							
							if(isset($_SESSION['signed_in']) == true && $_SESSION['userLevel'] == 1)
							{ 
								echo "<a class=\"nav\" href=\"/musicwebsite/about.php\">about us</a> 
								<a class=\"nav_selected\" href=\"/musicwebsite/products.php\">products</a> 
								<a class=\"nav\" href=\"/musicwebsite/contact.php\">contact us</a>
								<a class=\"nav\" href=\"/musicwebsite/managesite.php\">manage site</a> "; 
							}
						?> 
               
                    </ul>
            </div> 
            
       
            <div class="categories_products">
            		<div class="title">
            		  <p><img src="images/title_products.gif" alt="" title="" />		
            		  
            		  <form action ='search.php' method='post'>
            		    Search for product:<input type ="text" name="term" />
                       price:<select name="secondterm" id="secondterm">
                        <option value="100">1-200</option>
                        <option value="300">200-400</option>
                        <option value="700">500-800</option>
                        <option value="900">800-1000</option>
                        <option value="1000">1000-2000</option>
                        </select>
                        
            		    <input type="submit" name="submit" value="Search" />
          		    </form>
<div class="prod_box">

                        <div class="prod_details">
           
                            <table width="650" border="2">

                                <tr> 
                              <!--  <th>Product Number</th> -->
                                <th>Product Description</th> 
                              <!-- <th>Quantity On Hand</th> -->
                                <th>Price</th> 
                                <th>Image</th>
                                <?php 
                                if(isset($_SESSION['signed_in']) == true && $_SESSION['userLevel'] == 1)
								{ 
										echo "
                                			 <th>UPDATE</th>
                                 			 <th>DELETE</th> ";
								}
								?>							
                                </tr>
                            
                           <?php 
								for ($i=0; $i < $num_results; $i++)
								{ 
								
									$row = $result->fetch_object(); 
									
									$propID = $row->id;
									$product_name = $row->product_name; 
									$product_description = $row->product_description; 
									$quantity_on_hand = $row->quantity_on_hand; 
									$price = $row->price; 
									$image = $row->image; 
									$formattedPrice = number_format($price, 2, '.', ','); 
								
									echo '<tr>'; 
									echo "<td>$product_description</td>"; 
									echo "<td>€$formattedPrice</td>"; 
									echo "<td><a href='datadrilldown.php?propID=$propID'><img src='images/$image'/></td>"; 
									
									
									
                                if(isset($_SESSION['signed_in']) == true && $_SESSION['userLevel'] == 1)
								{ 

									echo "<td><a href='updateform.php?propID=$propID'>Update Product</a></td>"; 
									echo "<td><a href='deleteform.php?propID=$propID'>Delete Product</a></td>"; 
									echo '<tr>'; 
								}
								
								} 
								
								echo '</table>'; 
								
								//$result->free(); 
								$db->close(); 
							?> 
                            
                                               
                        </div>                    
                    </div> 
        
             <div class="clear"></div>       
            </div>
   
        </div>
           
    </div>
    
    <div id="footer">
        <div class="left_footer"><img src="images/footer_logo.gif" alt="" title="" /></div>
        <div class="right_footer"><a href="http://csscreme.com/freecsstemplates/" title="free css templates"><img src="images/csscreme.gif" alt="free css templates" border="0" /></a></div>
    </div>

</div>
</body>
</html>
thanks

Re: problem with security

Posted: Mon Nov 12, 2012 11:52 am
by Christopher
There are a couple of ways to handle this. You could wrap the whole page in a big if. Or you could include a header file that does the access check and if not allowed displays the alternate content and exits. You may want to look into the Front Controller pattern as well.

Re: problem with security

Posted: Mon Nov 12, 2012 12:10 pm
by beginner123
already tired the big if but having the html and php in the one page is causing the problem. The if statement won't work with html code in the middle.
The same thing happens with a header file

Re: problem with security

Posted: Mon Nov 12, 2012 3:51 pm
by califdon
beginner123 wrote:already tired the big if but having the html and php in the one page is causing the problem. The if statement won't work with html code in the middle.
The same thing happens with a header file
Yes it will. The php logic works just fine with html, like this:

Code: Select all

<body>
This will always be included in the output.
<?php
if(date("N")==1) {
?>
   Today is Monday!
<?php
}
?>
   Some more html . . .
Try it!

Re: problem with security

Posted: Mon Nov 12, 2012 4:07 pm
by beginner123
yes I understand that but it will still display the HTML stuff because I can't include it in the php tags

Re: problem with security

Posted: Mon Nov 12, 2012 6:41 pm
by califdon
beginner123 wrote:yes I understand that but it will still display the HTML stuff because I can't include it in the php tags
What do you mean, you can't include it within the php tags? Why not? That's a very common way to accomplish such a task.

Re: problem with security

Posted: Mon Nov 12, 2012 7:09 pm
by Christopher
califdon is correct. You can control what HTML will display with PHP control structures:

Code: Select all

<?php
if ($var) {
?>
<p>This will display if var is true.</p>
<?php
} else {
?>
<p>This will display if var is false.</p>
<?php
}
?>

Re: problem with security

Posted: Wed Nov 14, 2012 7:37 am
by Mordred
An even easier method is to include a file before everything else:

Code: Select all

<?php
$logged_in = ... //do the check
if (!$logged_in) {
  header('Location: http://yoursite.com');
  die(); //this bit is important, otherwise the rest of the code will get executed as well.
}
?>
But as Christopher said, a Front Controller will simplify your life a great deal: among other benefits it will give you a single entry point before which you can make your login checks.