I think I need to explain my question better.

I have a db and the table contains 4 fields uid(pk) username password
 I can authenticate the user / pass properly. The problem I am having is
getting the information from field location and defining it as $location so
I can do the following: (when I make $redirectLoginSuccess = "example.php"
all works fine)
$redirectLoginSuccess = "$location";
$redirectLoginFailed = "../index.php";

    header("Location: " . $redirectLoginSuccess );
  else {
        header("Location: ". $redirectLoginFailed );

Here is where I query the db
$LoginRS__query=sprintf("SELECT username, password FROM webauth WHERE
username='%s' AND password='%s'",
    get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername),
get_magic_quotes_gpc() ? $password : addslashes($password));
  $LoginRS = mysql_query($LoginRS__query, $mysql) or die(mysql_error());
On the landing page im using this for security:
$MM_authorizedUsers = "";
$MM_donotCheckaccess = "true";

// *** Restrict Access To Page: Grant or deny access to this page
function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) { 
  // For security, start by assuming the visitor is NOT authorized. 
  $isValid = False; 

  // When a visitor has logged into this site, the Session variable
MM_Username set equal to their username. 
  // Therefore, we know that a user is NOT logged in if that Session
variable is blank. 
  if (!empty($UserName)) { 
    // Besides being logged in, you may restrict access to only certain
users based on an ID established when they login. 
    // Parse the strings into arrays. 
    $arrUsers = Explode(",", $strUsers); 
    $arrGroups = Explode(",", $strGroups); 
    if (in_array($UserName, $arrUsers)) { 
      $isValid = true; 
    // Or, you may restrict access to only certain users based on their
    if (in_array($UserGroup, $arrGroups)) { 
      $isValid = true; 
    if (($strUsers == "") && true) { 
      $isValid = true; 
  return $isValid; 

$MM_restrictGoTo = "../index.php";
if (!((isset($_SESSION['MM_Username'])) &&
(isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'],
$_SESSION['MM_UserGroup'])))) {   
  $MM_qsChar = "?";
  $MM_referrer = $_SERVER['PHP_SELF'];
  if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";
  if (isset($QUERY_STRING) && strlen($QUERY_STRING) > 0) 
  $MM_referrer .= "?" . $QUERY_STRING;
  $MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" .
  header("Location: ". $MM_restrictGoTo); 
-----Original Message-----
From: Ahmed Saad [mailto:[EMAIL PROTECTED] 
Sent: Thursday, July 14, 2005 8:34 AM
To: Vinny Lape
Cc: php-db@lists.php.net
Subject: Re: [PHP-DB] User authentication and redirect

hi Vinny,

On 7/13/05, Vinny Lape <[EMAIL PROTECTED]> wrote:
> If user validates then look at db entry location then redirect to
> mydomain.com/"location"/index.php

i don't think it's a good idea. what if the user bookmarked or took
down a notice with the URL to your "secured" page
(mydomain.com/location/index.php)? then he would just type the url
heading directly for the bypassing your login page! i think u might
want to put the user authorization code in your index php or even
better put it in a file and require() that file at the top of of any
page u want to protect. you can either use sessions or plain HTTP
authentication  (which is not a very good idea).


PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to