Done it!!! Followed the examples both of you gave me and voala!
Hey... it turned out to be quite a effective user authentication system.
Thanks a lot.
Cesar Aracena mailto:[EMAIL PROTECTED]
CE / MCSE+I
Neuquen, Argentina
+54.299.6356688
+54.299.4466621
-Mensaje original-
De: Justin French [mailto:[EMAIL PROTECTED]]
Enviado el: Viernes, 14 de Junio de 2002 03:29 a.m.
Para: César Aracena
Asunto: Re: [PHP] Advanced User Authentication
This is a reasonably in-depth topic, and I don't have any experience
with
the book in question, but here's some code to follow.
Please note TOTALLY UNTESTED CODE!
?
session_start();
// make sure userid password were set
// thru sessions, not through URL or other
// method
$userid = $_SESSION['userid'];
$password = $_SESSION['password'];
$db_conn = mysql_connect(localhost, user, password);
mysql_select_db(dbname, $db_conn);
$query = SELECT * FROM auth WHERE authname = '$username' AND
authpass = password('$password');
if(mysql_num_rows($result) == 0)
{
// invalid username and/or password
unset($_SESSION['password']);
unset($_SESSION['userid']);
}
else
{
$valid_user = 1;
// we know they're valid, but what level user are they?
$myrow = mysql_fetch_array($result);
$authlevel = $myrow['authlevel'];
}
?
So, you find the userid and password in the $_SESSION array, and you
query
the database to see if there's a match.
If not, you unset the $_SESSION['userid'] and $_SESSION['password'].
If yes, you then have a look at the result your queried, and find out
what
authlevel they are.
In your case, it looks like you're using 0 for normal, and 1 for
admin.
In my case, I'm using 0 for a blocked user, 1 for basic, 2 for admin,
and
three for me (super admin, for lack of a better word!).
For basic stuff, we can just check if they're a valid user:
?
if($valid_user)
{
echo welcome {$userid};
}
?
or more complex stuff
?
if($authlevel == 1)
{
echo admin: A HREF=\blah.php\delete this/a;
}
?
Hope this get you started on the right track.
Justin French
Creative Director
http://Indent.com.au
on 14/06/02 3:08 PM, César Aracena ([EMAIL PROTECTED]) wrote:
Hi all,
Im trying to make a somehow advanced user authentication system
fro
my own web site. What Im using as a model example, is the
authentication system explained by Luke Welling Laura Thomson in
their
book PHP and MySQL Web Development. In the book, they explain how
to
make apparently a perfect user authentication system, but only for
one
level users. I would like to change that somehow in order to make my
scripts recognize whether the user is an Administrator or a Common
User,
identified by a authlevel field in my DB (1 for Admin 2 for
Users).
Im making all my web sites, by using an include schema, so the
user
is authenticated only in the Header (included in all the pages).
What I have so far is:
?
// this is where the original script begin
session_start();
if ($userid $password)
{
$db_conn = mysql_connect(localhost, user, password);
mysql_select_db(dbname, $db_conn);
$query = SELECT * FROM auth WHERE authname = '$username' AND
authpass = password('$password') AND authlevel = 1;
$result = mysql_query($query, $db_conn);
if (mysql_num_rows($result) 0)
{
$valid_user = $userid;
session_register(valid_admin);
}
// this is what I tried to add
else if (mysql_num_rows($result) = 0)
{
$query1 = SELECT * FROM auth WHERE authname =
'$username' AND authpass = password('$password') AND authlevel = 0;
$result1 = mysql_query($query1, $db_conn);
if (musql_num_rows($result1) 0)
{
$valid_user = $userid;
session_register(valid_user);
}
}
}
?
It works great when used in its original state, but does no good to
what Im trying to do here. Also, Im willing to learn from this so
I
dont want to rush and get it already done out there ;-)
By the way, before you ask, I use MySQL and PHP 4 under a Apache
emulator (PHPTriad) running under WinXP (and damn, it works good and
smooth).
Hope to get some knowledge from you guys and gals,
Cesar Aracena mailto:[EMAIL PROTECTED]
CE / MCSE+I
Neuquen, Argentina
+54.299.6356688
+54.299.4466621
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
