no direct access to admin pages

vinpkl

i am working on admin section which has a login page with login id and pasword form.
in my admin section i have many pages say like manage_products.php, description.php, user.php etc.

if i have to access the manage_products.php page then i can access it just typing like the link below

http://localhost/vineet/admin/manage_products.php

without entering login user and pasword.

i want to restrict the access of this page through admin panel only. No one should able to access any of the page by typing the url directly. how is it possible.

vineet

djjjozsi

Lets create an easy session user authenticate to the page. And then create a logout. you can find an example on php.net website.

bye,

jjozsi:

lets_sign_in.php:

<?
session_start();
if($_POST["username"]=="your_username" AND $_POST["password"]=="your_password")
{
$_SESSION["signed_in"]=1;
header("Location: list_of_restricted pages");
}
else
{
print 'No match';
}

if($_GET["back_from_a_restricted_page"]==1)
print "To allow this page,  you must logged in.";

print '<form name="form" method="post" action="?">
<table border="1" cellspacing="5" cellpadding="5">
<tr>
<th scope="row">Username</th>
<td><input type="text" name="username"></td>
</tr>
<tr>
<th scope="row">Password</th>
<td><input type="password" name="password"></td>
</tr>
</table>
<input type="submit" name="Submit" value="Submit"> </form>';
?>

And evry page you wanted to restrict the normal user, lets put this php program, and the very beginning of the page:

<?
session_start();
if($_SESSION["signed_id"]=="")
header("Location: lets_sign_in.php?back_from_a_restricted_page=1");
?>

vinpkl;10890991 wrote:
hi

i am working on admin section which has a login page with login id and pasword form.
in my admin section i have many pages say like manage_products.php, description.php, user.php etc.

if i have to access the manage_products.php page then i can access it just typing like the link below

http://localhost/vineet/admin/manage_products.php

without entering login user and pasword.

i want to restrict the access of this page through admin panel only. No one should able to access any of the page by typing the url directly. how is it possible.

vineet

vinpkl

djjjozsi;10891036 wrote:

Lets create an easy session user authenticate to the page. And then create a logout. you can find an example on php.net website.

bye,

jjozsi:

lets_sign_in.php:

<?
session_start();
if($_POST["username"]=="your_username" AND $_POST["password"]=="your_password")
{
$_SESSION["signed_in"]=1;
header("Location: list_of_restricted pages");
}
else
{
print 'No match';
}

if($_GET["back_from_a_restricted_page"]==1)
print "To allow this page,  you must logged in.";

print '<form name="form" method="post" action="?">
<table border="1" cellspacing="5" cellpadding="5">
<tr>
<th scope="row">Username</th>
<td><input type="text" name="username"></td>
</tr>
<tr>
<th scope="row">Password</th>
<td><input type="password" name="password"></td>
</tr>
</table>
<input type="submit" name="Submit" value="Submit"> </form>';
?>

And evry page you wanted to restrict the normal user, lets put this php program, and the very beginning of the page:

<?
session_start();
if($_SESSION["signed_id"]=="")
header("Location: lets_sign_in.php?back_from_a_restricted_page=1");
?>

thanks for the reply. its now working as needed.

But one thing more i would like to ask that what should come in the "logout" page.

vineet

djjjozsi

logout.php

<?
session_start();
session_unset();
session_destroy();
header("Location: index.php?error=no_logged_out");
?>

and make a GET check in the index.php, to print that the user logged out successfully.

<?
switch ($_GET["error"])
{
case "no_logged_out":
print "You logged out succesfully...";
break;

/*
here you could take the whole error messages
*/

}
?>

and another thing:

if you use: header("Location: list_of_restricted pages");

after the location you must write valid filenames:
list_of_restricted pages.php,

but i missed the .php...

vinpkl

i used your earlier script that restrict access to the admin pages and received some errors.
here is the detail.
actually i have my user and password for admin in the admin table in database and i dont know where to put your provided code.

Here is my config.php

<?php
$conn=mysql_connect("localhost","root","") or die(mysql_error());
mysql_select_db("gadgets",$conn);

session_start();
if($_POST["username"]=="user_name" AND $_POST["password"]=="password")
{
$_SESSION["signed_in"]=1;
header("Location: add_banner.php, control_panel.php");
}
else
{
print 'No match';
}

if($_GET["back_from_a_restricted_page"]==1)
print "To allow this page,  you must logged in.";


?>

here is my add_banner.php which is part of admin pages

<?php require_once("../config.php");

if($_SESSION["signed_id"]=="")
header("Location: index.php?back_from_a_restricted_page=1");


$msg="";
if(isset($_REQUEST['submit']))
{
$loc=$_REQUEST['banner_loc'];
$path=$_FILES['banner_image']['name'];
move_uploaded_file($_FILES['banner_image']['tmp_name'], "uploads/" . $_FILES['banner_image']['name']);


$qry="insert into banners_homepage(location,banner_image) values('$loc', '$path')";

if(mysql_query($qry))
$msg="Banner Inserted successfully";
else
$msg="Error Inserting Banner";
}

?>

i receive this error
when i type
http://localhost/vineet/admin/add_banner.php

No match 
Warning: Cannot modify header information - headers already sent by (output started at E:\xampp\htdocs\vineet\config.php:13) in E:\xampp\htdocs\vineet\admin\add_banner.php on line 4

djjjozsi

how to use header function:

you could take only one location into that, so there is a mistake if you write the files comma separated.

make a page , where you print links to the areas..

At the very first lines you in the restricted pages, you need only this lines only:

<?
session_start();   // this is necessary to put! othervise there will no $_SESSION variable available at all.
if($_SESSION["signed_id"]=="")
header("Location: index.php?back_from_a_restricted_page=1");
?>

And don't put the username and password check part in the config.php
and this code is entered JUST in the form, where you ask the username and password:

<?php
/*  $conn=mysql_connect("localhost","root","") or die(mysql_error());
mysql_select_db("gadgets",$conn);   */


session_start();
if($_POST["username"]=="user_name" AND $_POST["password"]=="password")
{
$_SESSION["signed_in"]=1;
header("Location: add_banner.php, control_panel.php");
}
else
{
print 'No match';
}

if($_GET["back_from_a_restricted_page"]==1)
print "To allow this page,  you must logged in.";


?>

vinpkl

i dont know how to

make a page , where you print links to the areas..

and then restrict them

vineet

djjjozsi

create a file, called: list_of_admin_pages.php

tahe these links into that:

<?
session_start(); //alway use this session start
?>
take html codes with <html> ect...

<a href="banner_admin.php">BAnners admin</a>
<a href="sites_admin.php">Sites admin</a>
<a href="users_admin.php">Users admin</a>

and if you click one of these, in the beginning of the files that will check if the user logged in.

vinpkl

djjjozsi;10891075 wrote:
create a file, called: list_of_admin_pages.php

tahe these links into that:

<?
session_start(); //alway use this session start
?>
take html codes with <html> ect...

<a href="banner_admin.php">BAnners admin</a>
<a href="sites_admin.php">Sites admin</a>
<a href="users_admin.php">Users admin</a>

and if you click one of these, in the beginning of the files that will check if the user logged in.

i mgetting confused. let me clear things

This is come in index.php which is login page

session_start();
if($_SESSION["signed_in"]=1)
{ 
header("Location: list_of_restricted pages.php"); 
} 
else 
{ 
print 'No match'; 
} 

if($_GET["back_from_a_restricted_page"]==1) 
{
print "To allow this page,  you must logged in."; 
}

This wil come in list_of_restricted_files.php

<?php
session_start();
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>

<body>
<a href="add_banner.php">Banners admin</a>
<a href="add_category.php">Sites admin</a>
<a href="control_panel.php">Users admin</a>
</body>
</html>

This wil come in add_banner.php

session_start();   // this is necessary to put! othervise there will no $_SESSION variable available at all. 
if($_SESSION["signed_id"]=="") 
header("Location: index.php?back_from_a_restricted_page=1");

djjjozsi

Yes, this is the correct.

In index.php, lets correct at the if()

if($_SESSION["signed_in"]==1)

Becouse i made a little mistake about == (double = sign )

vinpkl

djjjozsi;10891084 wrote:
Yes, this is the correct.

In index.php, lets correct at the if()

if($_SESSION["signed_in"]==1)

Becouse i made a little mistake about == (double = sign )

everything done as told. but still receiving error and i m able to access restricted page

Warning: Cannot modify header information - headers already sent by (output started at E:\xampp\htdocs\vineet\config.php:9) in E:\xampp\htdocs\vineet\admin\add_banner.php on line 5

I have session_start(); in config file also which is included file. if i remove it from there i recieve error on my login page

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at E:\xampp\htdocs\vineet\config.php:9) in E:\xampp\htdocs\vineet\admin\index.php on line 4
No match

This is add_banner.php


<?php require_once("../config.php");

session_start();   // this is necessary to put! othervise there will no $_SESSION variable available at all. 
if($_SESSION["signed_id"]=="") 
header("Location:index.php?back_from_a_restricted_page=1"); 


$msg="";
if(isset($_REQUEST['submit']))
{
$loc=$_REQUEST['banner_loc'];
$path=$_FILES['banner_image']['name'];
move_uploaded_file($_FILES['banner_image']['tmp_name'], "uploads/" . $_FILES['banner_image']['name']);


$qry="insert into banners_homepage(location,banner_image) values('$loc', '$path')";

if(mysql_query($qry))
$msg="Banner Inserted successfully";
else
$msg="Error Inserting Banner";
}

?>

djjjozsi

there is eomthing printed in config.php

lets just run config.php , and see what is the printed message.

(for example: can't connect to the database)

Of course this error message will appears if there is a little warning in config.php ..

vinpkl;10891090 wrote:

everything done as told. but still receiving error and i m able to access restricted page

Warning: Cannot modify header information - headers already sent by (output started at E:\xampp\htdocs\vineet\config.php:9) in E:\xampp\htdocs\vineet\admin\add_banner.php on line 5

<?php require_once("../config.php");

session_start();   // this is necessary to put! othervise there will no $_SESSION variable available at all. 
if($_SESSION["signed_id"]=="") 
header("Location:index.php?back_from_a_restricted_page=1"); 


$msg="";
if(isset($_REQUEST['submit']))
{
$loc=$_REQUEST['banner_loc'];
$path=$_FILES['banner_image']['name'];
move_uploaded_file($_FILES['banner_image']['tmp_name'], "uploads/" . $_FILES['banner_image']['name']);


$qry="insert into banners_homepage(location,banner_image) values('$loc', '$path')";

if(mysql_query($qry))
$msg="Banner Inserted successfully";
else
$msg="Error Inserting Banner";
}

?>

vinpkl

if i run config.php
http://localhost/vineet/config.php

then i get a white page with no error display whether i delete session or not.

this is my config file

<?php
$conn=mysql_connect("localhost","root","") or die(mysql_error());
mysql_select_db("gadgets",$conn);

session_start();

?>

vineet

djjjozsi

please send me the config.php file

djjjozsi@gmail.com

at the last ?> isn't a Space or an Enter ?
if it is, elets delete it.

and if you put the session_start into the config.php, in the other files don't start the session again.

jjozsi

vinpkl;10891092 wrote:
hi

if i run config.php
http://localhost/vineet/config.php

then i get a white page with no error display whether i delete session or not.

this is my config file
<?php
$conn=mysql_connect("localhost","root","") or die(mysql_error());
mysql_select_db("gadgets",$conn);

session_start();

?>
vineet

vinpkl

djjjozsi;10891094 wrote:
please send me the config.php file

djjjozsi@gmail.com

at the last ?> isn't a Space or an Enter ?
if it is, elets delete it.

and if you put the session_start into the config.php, in the other files don't start the session again.

jjozsi

you were right. there was 2 time Enter after ?>.
i delete it. Now when i try to access restricted page redirects me to the login page

but when i enter the login id and password then also it redirects me to login page not the control_panel.php

vineet

djjjozsi

So.

what is the file name in that area in index.php?

if($POST["username"]=="your_username" AND $POST["password"]=="your_password")
{
$_SESSION["signed_in"]=1;
header("Location: list_of_restricted pages"); <---------------------------

vinpkl;10891095 wrote:
hi

you were right. there was 2 time Enter after ?>.
i delete it. Now when i try to access restricted page redirects me to the login page

but when i enter the login id and password then also it redirects me to login page not the control_panel.php

vineet