Hi,

I am fairly new to PHP but I have managed to set up a verify_user script that checks the username and password of a user from a login page. The script works fine except for the fact that a user can simply enter the URL of the logged in page and an error does not pop up! I have tried to put an error message into the script but it doesn't seem to be working. I have included the script below, any suggestions would be much appreciated.

Or is there any other way around this problem???

verify_user.php

<?php
session_start();
session_unset();
include("sql_connect.php");

$username = $POST['username'];
$SESSION['username'] = $username;
$password = $_POST['password'];
$user_type = ( "admin" || "staff" || "student" );
$loggedIn = false;

if ( ! isset( $username ) )
{
echo('You must enter in a username<br>');
echo('Redirecting to login page<br>');
echo '<meta http-equiv="refresh" content="3; URL=login.php" />';
}

if ( ! isset( $password ) )
{
echo('You must enter in a password<br>');
echo('Redirecting to login page<br>');
echo '<meta http-equiv="refresh" content="3; URL=login.php" />';
}

$user_query = mysql_query("SELECT * FROM user WHERE username='".$username."'") or die ("Error checking password");
$num_users = mysql_num_rows( $user_query );

if ( $num_users == 0 )
{
echo('User does not exist<br>');
echo('Redirecting to login page<br>');
echo '<meta http-equiv="refresh" content="3; URL=login.php" />';
}
else
{
while ( $user = mysql_fetch_array( $user_query ) )
{
if ( $password == $user["password"] )
{

$loggedIn = true;

session_register("loggedIn");
session_register("username");
if ($loggedIn == true) {
$result = mysql_query ("SELECT user_type FROM user WHERE username='".$username."'") or die ("Error checking user type");
while ($row = mysql_fetch_array($result)) {
extract($row);
if ($user_type == "admin") {
echo '<meta http-equiv="refresh" content="3; URL=admin_home.php" />';
echo 'Logging in as an administrator<br>';
echo 'Redirecting to admin page...';
}

elseif ($user_type == "student") {
echo '<meta http-equiv="refresh" content="3; URL=student_home.php" />';
echo 'Logging in as a student<br>';
echo 'Redirecting to student page...';
}

elseif ($user_type == "staff") {
echo '<meta http-equiv="refresh" content="3; URL=staff_home.php" />';
echo 'Logging in as a member of staff<br>';
echo 'Redirecting to staff page...';
}
}
}
else {
echo 'Your password does not match<br>';
echo('Redirecting to login page<br>');
echo '<meta http-equiv="refresh" content="3; URL=login.php" />';
}
}
else {
$loggedIn = false;
echo "You must be logged in to view this page!<br>";
echo('Redirecting to login page<br>');
echo '<meta http-equiv="refresh" content="3; URL=login.php" />';
}
}
}

?>

Thanks

    Do you mean that if they go to admin_home.php, there is no error?

    You need to check the session variables to make sure they're set, otherwise, redirect them.

    So at the top of each page you could have something like this:

    <?php
if( (empty($_SESSION) || !isset($_SESSION) ) && 
($_SESSION['user_type'] != 'staff' || $_SESSION['user_type'] != 'admin' || $_SESSION['user_type'] != 'staff') && 
($_SESSION['username'] != '') )
{
    header("Location: login.php");
}
?>

    Hope that helps.

    ~Brett

      One simpley way to do it is to include a hidden field in your form.

      <input type="hidden" name="submitted" value="yes">

      Then check to make sure that this value exists.

        Knew it would be something that simple!

        Just what I needed.

        Thanks alot

          Write a Reply...