One again, Thank you!! Your excellent advice saved my day ;)


Den 24. juli 2011 kl. 16.07 skrev Dajka Tamas:

> You’re welcome J
>  
> Yes, you can hide the urls, just google for „url rewriting” or „seo urls”. 
> Unfortunatelly, this is not basic level stuff and you cannot hide completly 
> the urls…
>  
> About your issue: that’s why I’ve added to my example’s index.php this line:
>  
> if ( ! $_session['username'] ) {
>       $_SESSION['message'] = "Please log in";
>       header('Location: login.php');
> }
>  
> For your situation, I would change it a bit ( for ANY index pages, which is 
> not a login page ):
>  
> if ( ! $_SESSION['username'] || $_SESSION[’usr_level’] != 
> CURRENT_SITE_PERMISSION ) {
>       //we set a message in session to the user
> $_SESSION['message'] = "Please log in";
> //we redirect the user to the login page
>       header('Location: index.php');
> }
>  
> This will redirect an unlogged user to the login form ( if logged in, but has 
> no access rights, your login page will log out the user ).
>  
> Don’t forget to store the users’ access level in the session, or this will 
> not work!
>  
> Cheers,
>  
>                Tamas
>  
> From: alekto [mailto:alekto.antarct...@gmail.com] 
> Sent: Sunday, July 24, 2011 3:23 PM
> To: Dajka Tamas
> Cc: php-general@lists.php.net
> Subject: Re: [PHP] Members area Login with permissions!
>  
> Thanks a lot :)
> This solved the user level issue, I can now login with different user levels 
> and get displayed with a link to the corresponding index-pages.
> But I am now facing a new issue regarding this; when I am entering the URL's 
> of the corresponding index-pages I do get access to the 
> corresponding index-pages without having to login at all!! Is there a way to 
> prevent this form happening? 
>  
> And is there also a way to hide the 
> URL's that goes beyond www.url.com, e.i. www.url.com/index_admin.php?
>  
>  
> Regard
>  
>  
> Den 24. juli 2011 kl. 13.26 skrev Dajka Tamas:
> 
> 
> Hi,
>  
> yes, class=”message” just sets the HTML class for that div element.
>  
> BTW, I’ve found the error:
>  
>  
>               //We get the password of the user
>               $req = mysql_query('select password,id,usr_level from users 
> where username="'.$username.'"');
>               $dn = mysql_fetch_array($req);
>               //Get user level of the user
>               $usr_level = $req['usr_level'];
>  
> You’re setting $usr_level from a mysql_resource! So it’s always null ( you 
> would have guessed it by adding a var_dump($usr_level); after setting 
> $usr_level ).
>  
> The fix: just change it to:
>  
>                $usr_level = $dn[’usr_level’];
>  
> Cheers,
>  
>                Tamas
>  
>  
>  
> From: alekto [mailto:alekto.antarct...@gmail.com] 
> Sent: Sunday, July 24, 2011 1:00 PM
> To: Dajka Tamas
> Cc: php-general@lists.php.net
> Subject: Re: [PHP] Members area Login with permissions!
>  
> Hi,
>  
> thank you for answering! I do have a session_start() in config.php.
> For now there is no redirection as you mentioned, but it should display a 
> link to 
> the corresponding next homepage based on user level, which it does not do at 
> this time!
>  
> I thought <div class="message"> was only a class? I already have a $message 
> variable that do display:
> $message = 'The username or password is incorrect.';
>  
> When it comes to separating the code, I think this is a good idea, afraid 
> this will mess the code further up to do at this point?!
>  
> Regards
>  
>  
>  
> Den 24. juli 2011 kl. 11.52 skrev Dajka Tamas:
> 
> 
> 
> Hi,
> 
> I don't see any redirection in your script! It just displays the link to the
> corresponding next homepage based on the user level. To really redirect, you
> should user "header ('Location: URL');". Be aware, that if you pass ANY
> content out, the additional headers can't be set, so either use output
> buffer in php.ini, or ob_start somewhere. And hope you do session_start() in
> config.php ;)
> 
> Cheers,
> 
>             Tamas
> 
> -----Original Message-----
> From: alekto [mailto:alekto.antarct...@gmail.com] 
> Sent: Sunday, July 24, 2011 1:28 AM
> To: php-general@lists.php.net
> Subject: [PHP] Members area Login with permissions!
> 
> Hi,
> I need some help with my html/php, restricted access script. 
> The purpose with this script is to let users login to a members area; some
> with admin permission, some with newbe permission and some with advanced
> permissions. The permissions are pre-defined in the MySQL-DB with a
> use_level-field in the user-table. 
> 
> The different user-groups should have access to the following content:
> 
> admin - permissions to everything (for now the same as advanced)
> advanced - lecture 1 and lecture 2
> newbe - only lecture 1
> 
> The problem with this script is that it does not redirect the different user
> groups to their repective index-pages, please help me to detect why!
> 
> 
> 
> <?php
> include('config.php');
> ?>
> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
> <html xmlns="http://www.w3.org/1999/xhtml";>
>   <head>
>       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
>       <link href="<?php echo $design; ?>/style.css" rel="stylesheet"
> title="Style" />
>       <title>Connexion</title>
>   </head>
>   <body>
>       <div class="header">
>               <a href="<?php echo $url_home; ?>"><img src="<?php echo
> $design; ?>/images/logo.png" alt="Members Area" /></a>
>           </div>
> <?php
> //If the user is logged, we log him out
> if(isset($_SESSION['username']))
> {
>       //We log him out by deleting the username and userid sessions
>       unset($_SESSION['username'], $_SESSION['userid']);
> ?>
> <div class="message">You have successfuly been loged out.<br />
> <a href="<?php echo $url_home; ?>">Home</a></div>
> <?php
> }
> else
> {
>       $ousername = '';
>       //We check if the form has been sent
>       if(isset($_POST['username'], $_POST['password']))
>       {
>               //We remove slashes depending on the configuration
>               if(get_magic_quotes_gpc())
>               {
>                       $ousername = stripslashes($_POST['username']);
>                       $username =
> mysql_real_escape_string(stripslashes($_POST['username']));
>                       $password = stripslashes($_POST['password']);
>               }
>               else
>               {
>                       $username =
> mysql_real_escape_string($_POST['username']);
>                       $password = $_POST['password'];
>               }
>               //We get the password of the user
>               $req = mysql_query('select password,id,usr_level from users
> where username="'.$username.'"');
>               $dn = mysql_fetch_array($req);
>               //Get user level of the user
>               $usr_level = $req['usr_level'];
> 
>               //We compare the submited password and the real one, and we
> check if the user exists
>               if($dn['password']==$password and mysql_num_rows($req)>0)
>               {
>                       //If the password is good, we dont show the form
>                       $form = false;
>                       //We save the user name in the session username and
> the user Id in the session userid
>                       $_SESSION['username'] = $_POST['username'];
>                       $_SESSION['userid'] = $dn['id'];
> 
>                if($usr_level == 1)
>                       {
>                         ?>
> <div class="message">You have successfuly been logged in. You can now access
> the admin area.<br />
> <a href="index2.php">Home</a></div>
> <?php
>                       }
>                       if($usr_level == 10)
>                       {
>                       ?>
> <div class="message">You have successfuly been logged in. You can now access
> to the newbe area.<br />
> <a href="index1.php">Home</a></div>
> <?php
>                       }
>                       if($usr_level == 11)
>                       {
>                       ?>
> <div class="message">You have successfuly been logged in. You can now access
> the advanced area.<br />
> <a href="index2.php">Home</a></div>
> <?php
>                       }                            
> 
>               }
>               else
>               {
>                       //Otherwise, we say the password is incorrect.
>                       $form = true;
>                       $message = 'The username or password is incorrect.';
>               }
>       }
>       else
>       {
>               $form = true;
>       }
>       if($form)
>       {
>               //We display a message if necessary
>       if(isset($message))
>       {
>               echo '<div class="message">'.$message.'</div>';
>       }
>       //We display the form
> ?>
> <div class="content">
>   <form action="connexion.php" method="post">
>       Please type your IDs to log in:<br />
>       <div class="center">
>           <label for="username">Username</label><input type="text"
> name="username" id="username" value="<?php echo htmlentities($ousername,
> ENT_QUOTES, 'UTF-8'); ?>" /><br />
>           <label for="password">Password</label><input type="password"
> name="password" id="password" /><br />
>           <input type="submit" value="Log in" />
>               </div>
>   </form>
> </div>
> <?php
>       }
> }
> ?>
>               <div class="foot"><a href="<?php echo $url_home; ?>">Go
> Home</a></div>
>       </body>
> </html>
> 
>  
>  

Reply via email to