I can't see why you simply dont do this

if ($LoginSuccessful)
{
 $location = "";
}else{
 $location = "../index.php";
}
header("location=$location");

If i don't have the solution, perhaps I am misunderstanding the problem

Bastien


From: "Vinny Lape" <[EMAIL PROTECTED]>
To: <php-db@lists.php.net>
Subject: RE: [PHP-DB] User authentication and redirect
Date: Fri, 15 Jul 2005 09:01:52 -0400

I think I need to explain my question better.

I have a db and the table contains 4 fields uid(pk) username password
location
 I can authenticate the user / pass properly. The problem I am having is
getting the information from field location and defining it as $location so
I can do the following: (when I make $redirectLoginSuccess = "example.php"
all works fine)
<snip>
$redirectLoginSuccess = "$location";
$redirectLoginFailed = "../index.php";
</snip>

<snip>
}
    header("Location: " . $redirectLoginSuccess );
  }
  else {
        header("Location: ". $redirectLoginFailed );
</snip>

Here is where I query the db
<snip>
$LoginRS__query=sprintf("SELECT username, password FROM webauth WHERE
username='%s' AND password='%s'",
    get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername),
get_magic_quotes_gpc() ? $password : addslashes($password));
  $LoginRS = mysql_query($LoginRS__query, $mysql) or die(mysql_error());
</snip>
On the landing page im using this for security:
<?php
session_start();
$MM_authorizedUsers = "";
$MM_donotCheckaccess = "true";

// *** Restrict Access To Page: Grant or deny access to this page
function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) {
  // For security, start by assuming the visitor is NOT authorized.
  $isValid = False;

  // When a visitor has logged into this site, the Session variable
MM_Username set equal to their username.
  // Therefore, we know that a user is NOT logged in if that Session
variable is blank.
  if (!empty($UserName)) {
    // Besides being logged in, you may restrict access to only certain
users based on an ID established when they login.
    // Parse the strings into arrays.
    $arrUsers = Explode(",", $strUsers);
    $arrGroups = Explode(",", $strGroups);
    if (in_array($UserName, $arrUsers)) {
      $isValid = true;
    }
    // Or, you may restrict access to only certain users based on their
username.
    if (in_array($UserGroup, $arrGroups)) {
      $isValid = true;
    }
    if (($strUsers == "") && true) {
      $isValid = true;
    }
  }
  return $isValid;
}

$MM_restrictGoTo = "../index.php";
if (!((isset($_SESSION['MM_Username'])) &&
(isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'],
$_SESSION['MM_UserGroup'])))) {
  $MM_qsChar = "?";
  $MM_referrer = $_SERVER['PHP_SELF'];
  if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";
  if (isset($QUERY_STRING) && strlen($QUERY_STRING) > 0)
  $MM_referrer .= "?" . $QUERY_STRING;
  $MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" .
urlencode($MM_referrer);
  header("Location: ". $MM_restrictGoTo);
  exit;
}
?>
-----Original Message-----
From: Ahmed Saad [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 14, 2005 8:34 AM
To: Vinny Lape
Cc: php-db@lists.php.net
Subject: Re: [PHP-DB] User authentication and redirect

hi Vinny,

On 7/13/05, Vinny Lape <[EMAIL PROTECTED]> wrote:
> If user validates then look at db entry location then redirect to
> mydomain.com/"location"/index.php

i don't think it's a good idea. what if the user bookmarked or took
down a notice with the URL to your "secured" page
(mydomain.com/location/index.php)? then he would just type the url
heading directly for the bypassing your login page! i think u might
want to put the user authorization code in your index php or even
better put it in a file and require() that file at the top of of any
page u want to protect. you can either use sessions or plain HTTP
authentication  (which is not a very good idea).

-ahmed

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to