Hi:
I have built an admin panel that will hide some links depend on admin and mod level. The script works fine when i login first time, but the problem is when i am using admin account, clicking some hidden links, and refreshing it, the account will shift to another mod account.
0 == admin
1 == mod
Table Structure:
table: moderator
mod_id (varchar)
mod_password (varchar)
level (enum: value 0,1)
here is my menu.php, some of the link hide here with if ($_SESSION['level'] == '1')
<?php
session_start();
//header("Cache-control: private");
// is the one accessing this page logged in or not?
if (!isset($SESSION['db_is_logged_in'])
|| $SESSION['db_is_logged_in'] !== true) {
// not logged in, move to login page
header('Location: login.php');
exit;
}
?>
<?
include ('connect.php');
?>
<html>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<body>
<? echo "<b>Welcome {$_SESSION['mod_id']} </b>"; ?>
<br>
<font size=+2>Menu:</font><br>=======<br>
Artist:<br>
<a href="add.php" target="main">Add Artist </a><br>
<a href="artist-edit-delete.php" target="main">Update-Delete Artist</a><br>
<br><br>Lyric:<br>
<a href="lyric-add.php" target="main">Add-Edit-Delete Lyric </a><br>
<br><br>Approve Lyric submission:
<br><a href="show-submission-song.php" target="main">Approve Users submitted lyric</a>
<br><br>Search:<br>
<a href="admin-artist-search.php" target="main">Admin Artist Search</a><br>
<br><br>
<?
if ($_SESSION['level'] == '1')
{
echo "You are not an admin";
}
else
{
echo "Creat Mod <br >";
echo "<a href=\"add-mod.php\" target=\"main\">Creat Mod</a> <br >";
}
?>
<br><br><a href="logout.php" target="_parent">Logout</a>
</html>
[/code]
login script
<?php
session_start();
header("Cache-control: private");
include ('connect.php');
// we must never forget to start the session
$errorMessage = '';
if (isset($_POST['mod_id']) && isset($_POST['mod_password'])) {
$mod_id = $_POST['mod_id'];
$mod_password = $_POST['mod_password'];
// check if the user id and password combination exist in database
$sql = "SELECT * FROM moderator WHERE mod_id = '$mod_id' AND mod_password = MD5('$mod_password')";
$result = mysql_query($sql)
or die('Query failed. ' . mysql_error());
if (mysql_num_rows($result) == 1) {
// the user id and password match,
// set the session
$_SESSION['db_is_logged_in'] = true;
$row = mysql_fetch_assoc($result);
$_SESSION['level'] = $row['level'];
$_SESSION['mod_id'] = $row['mod_id'];
// after login we move to the main page
header('Location: index.php');
exit;
} else {
$errorMessage = 'Sorry, wrong user id / password';
}
}
?>
<html>
<head>
<title>BTZ Lyric Moderator Login</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<?php
if ($errorMessage != '') {
?>
<p align="center"><strong><font color="#990000"><?php echo $errorMessage; ?></font></strong></p>
<?php
}
?>
<form method="post" name="BTZ_LOGIN" id="BTZ_LOGIN">
<table width="400" border="1" align="center" cellpadding="2" cellspacing="2">
<tr>
<td width="150">User ID</td>
<td><input name="mod_id" type="text" id="mod_id"></td>
</tr>
<tr>
<td width="150">Password</td>
<td><input name="mod_password" type="password" id="mod_password"></td>
</tr>
<tr>
<td width="150"> </td>
<td><input type="submit" name="BTZ_LOGIN" value="Login"></td>
</tr>
</table>
</form>
</body>
</html>
