Easy way to identify admin user

hubbardude

I'm looking for an example of how to use sessions to check if a user is an admin or not. Basically I have 3 levels - Guest, user, admin. Currently I am using two session variables - username and logged in/not logged in to protect access to user pages. For some reason I can't figure out a good way to do the admin part. In the db, user levels are stored as an integer - 0 for guest, 1 for user, 2 for admin. Here are the session declarations:

$_SESSION["username"]=$_POST["username"];
$_SESSION["loggedIn"]=true;

So my problem is, I don't know how to declare the admin variable. I have a pretty good idea of how I would check for it, though. I know it would involve querying the db for the user level, but I can't seem to figure out the correct way to do it.

NogDog

As a side note, the $SESSION['logedIn'] element is really sort of redundant, since you can just check whether the $SESSION['username'] is empty or not. Anyway, you could add another $_SESSION variable to hold the access level, and then check it's value in any situations where it matters.

bradmasterx

At logon.

session_start();
if($_SESSION['adminuser'] != "YES"){ die ("Authorize Failed."); }

//login script
//if user group = admin
$_SESSION['adminuser']="YES";
//end if

hubbardude

Thanks. I guess I'm really looking for help with the SQL check to see what level of access they have. Something like:

"SELECT userlevel FROM users WHERE username=$_POST['username']";

From there I'm not sure what I would do.

NogDog

It can be done at the same time as you do the username/password query. Just add the userlevel column to the list of fields you select in that query, then grab its value for saving in the $_SESSION array if the login is valid.

kterry

Here is a little something you can do. Something like this took me about 5 minutes to code and it even checks to see if the account has been disabled in the database.

<?php
session_start(); //Start the session

//Set username and password in $uid and $pwd if its found in $_POST or $_SESSION.
if (isset($_POST['uid'])) {
 $uid = $_POST['uid'];
} else {
 $uid = $_SESSION['uid'];
}
if (isset($_POST['pwd'])) {
 $pwd = $_POST['pwd'];
} else {
 $pwd = $_SESSION['pwd'];
}

//If uid is not set, show the login form.
if(!isset($uid)) {
 ?>
 <!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
 <title> Please Log In for Access </title>
 <meta http-equiv="Content-Type"
   content="text/html; charset=iso-8859-1" />
 </head>
 <body>
 <h1> Login Required </h1>
 <p><form method="post" action="<?=$_SERVER['PHP_SELF']?>">
   User ID: <input type="text" name="uid" size="8" /><br />
   Password: <input type="password" name="pwd" SIZE="8" /><br />
   <input type="submit" value="Log in" />
 </form></p>
 </body>
 </html>
 <?php
 exit;
}

//Set the session array variables.
$_SESSION['uid'] = $uid;
$_SESSION['pwd'] = $pwd;

//Check the database against provided credentials.
$sql = "SELECT * FROM in_users WHERE
       user_name = '$uid' AND password = '$pwd'";
$result = mysql_query($sql);
if (!$result) {
 error('A database error occurred while checking your '.
       'login details.\\nIfhis error persists, please '.
       'contact dsfsdgghas.');
}

if (mysql_num_rows($result) == 0) {
 unset($_SESSION['uid']);
 unset($_SESSION['pwd']);
 ?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
 <title> Access Denied </title>
 <meta http-equiv="Content-Type"
   content="text/html; charset=iso-8859-1" />
 </head>
 <body>
 <h1> Access Denied </h1>
 <p><form method="post" action="<?=$_SERVER['PHP_SELF']?>">
   User ID: <input type="text" name="uid" size="8" /><br />
   Password: <input type="password" name="pwd" SIZE="8" /><br />
   <input type="submit" value="Log in" />
 </form></p>
 </body>
 </html>
 <?php
 exit;
}

//Check if account is active. 0 is no 1 is yes.
if (mysql_result($result,0,'active') == 0){
	echo 'Your account is currently disabled. Please contact <a href="mailto:sdgsdfgdfg">Kyle</a> to reinstate your account.';
	exit;
}

//set the users access level in the $ac_lvl variable to later be called by the script.
$ac_lvl = mysql_result($result,0,'ac_lvl');

//Set the user name for use of "Logged in as ..."
$username = mysql_result($result,0,'user_name');
?>

Then later in the script you can call the variable...

//Call the access variable to confirm they have proper access to the page.
if ($ac_lvl != 2 ){
//Deny access to page.
exit;
}

Hope this helps!

laserlight

Something like this took me about 5 minutes to code and it even checks to see if the account has been disabled in the database.

Unfortunately it is uh, susceptible to SQL injection.

kterry

Not if you write the script to filter it.

laserlight

Not if you write the script to filter it.

Please demonstrate and include it in your example. As you recall, this is the Newbies forum, so it is better to assume that hubbardude does not know about SQL injection and how to avoid it.

kterry

$_SESSION['uid'] = $uid;
$_SESSION['pwd'] = $pwd;
if (preg_match("/^\w{6,20}$/", $uid, $matches)){
$sql = "SELECT * FROM in_users WHERE
       user_name = " . mysql_real_escape_string($uid) . " AND password = " . mysql_real_escape_string($pwd);
} else {
echo 'Username invalid.';
exit;
}

Will filter the username field from any malicious code. A lot of people use other characters in their passwords, so you'd have to disallow things like single quotes and a few others and filter them out in your scripts with preg_match.

kterry

here is an article you should read, hubbardude.

http://en.wikipedia.org/wiki/SQL_injection