Ok here is what I have...
I created a table on my db with 4 fields
'id' , 'username', 'password','level_access
I have a login page (login.php):
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Admin Login</title>
<link href="admin.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div align="center"></div>
<table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC" class="box">
<tr>
<form name="form" method="post" action="checklogin.php">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<td colspan="2"><div align="center"><span class="style6">Admin Login </span></div></td>
</tr>
<tr>
<td width="78"><div align="right" class="style2">Username:</div></td>
<td width="294"><input name="myusername" type="text" class="style2" id="myusername"></td>
</tr>
<tr>
<td class="style2"><div align="right" class="style9"><span class="style2">Password</span>:</div></td>
<td><input name="mypassword" type="password" class="style2" id="mypassword"></td>
</tr>
<tr>
<td></td>
<td><input type="submit" name="Submit" value="Login"></td>
</tr>
</table>
</td>
</form>
</tr>
</table>
<?php
include("footer.php");
?>
</body>
</html>
I have a check login page (checklogin.php)
<?php
include("includes/config.inc.php");
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// username and password sent from signup form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
$sql="SELECT * FROM $tbl_name2 WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("location:index.php");
}
else {
echo "Wrong Username or Password";
}
?>
I have a logout page (logout.php):
<?
session_start();
session_destroy();
header( 'Location: index.php' )
?>
On the top of the php pages I wish to protect I have this code:
<?
session_start();
if(!session_is_registered(myusername)){
header("location:login.php");
}
?>
What I would like to do is add the 'level_access" to the script. This is not a typical mebership login section- I am trying to create an "Admin section" so I really do not need a registration page, the main admin will activate or deactivate other admins but I need to assign a main admin from regular admins (if that makes anysense?)
Also I have a page that allows the admins to delete a row from a table. Once they click on the hyperlink which contains the id of the row it go to another page called delete.php - the code looks like this:
<?php
session_start();
if(!session_is_registered(myusername)){
header("location:login.php");
}
header('refresh:3;url=list.php');
include("includes/config.inc.php");
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// get value of id that is sent from address bar
$id = intval($_GET['id']);
// Delete data in mysql from row that has this id
$sql="DELETE FROM $tbl_name WHERE id='$id'";
$result = mysql_query($sql) or die("SQL Error: ".mysql_error());
// if successfully deleted
if($result){
echo "Deleted Successfully";
echo "<BR>";
echo "<a href='list.php'>Back to main page</a>";
}
else {
echo "ERROR";
}
// close connection
mysql_close();
?>
The problem is - even though it has the login script at the top - it doesn't prevent the script from executing- I see this as a big security problem. Someone call enter in the address bar www.somewhere.com/delete.php?=id1 and so on and delete records without login on.
Thanks for your help
