help me fix my code

Anon

Hi,

Below is some code I am putting at the top of my pages that only let a user in if they have logged in, based on their userid and if their status is set to admin, not browse.

These fields are both held in a user mySQL table. I think the line that is wrong is
if(!isset($userid) && ($status == "browse")), anybody got any ideas??

<?php //checks userid on the cookie to allow access
//put this code at the top of every page to validate users for admin access

session_start();
if(!isset($userid) && ($status == "browse")) //if no userid set then not logged in so don't let in
echo "You are not authorised to visit this page.\n ";
echo "Please hit the back button <BR>\n";
echo $status;
exit;

mistcat

Well I'm not sure of all your configurations but if those are session variables maybe you want something more like:

if(!isset($SESSION['userid']) && ($SESSION['status'] == "browse"))

and set those as session variables wherever you do your login?

$_SESSION['status'] = "browse";

You know?
(btw if you are working with an older version of php try
HTTP_SESSION_VARS instead of _SESSION

Anon

Hi,

Thanks for you reply but I am still a little confused as 'browse' and 'admin are the two values that 'status' can take in the users table.

I only want to let in users that have logged in and their status is set to 'admin' in the table.

Below is the code for the log in page, what should I do?

<?php
//auth_user.php
include "common_db.inc";
$register_script = "register.php";

function auth_user($userid, $userpassword, $status) {
global $default_dbname, $user_tablename;

$link_id = db_connect($default_dbname);
$query = "SELECT username, status FROM $user_tablename
WHERE userid = '$userid'
AND userpassword = password('$userpassword')";
$result = mysql_query($query);
if(!mysql_num_rows($result)) return 0;
else {
$query_data = mysql_fetch_row($result);
return $query_data[0];
}
}

function login_form() {
global $PHP_SELF;
?>

<HEAD>
<TITLE>Login</TITLE>
</HEAD>
<BODY>
<FORM METHOD="POST" ACTION="<? echo $PHP_SELF ?>">
<DIV ALIGN="CENTER"><CENTER>
<H3>Please log in to access the page you requested.</H3>
<TABLE BORDER="1" WIDTH="200" CELLPADDING="2">
<TR>
<TH WIDTH="18%" ALIGN="RIGHT" NOWRAP>ID</TH>
<TD WIDTH="82%" NOWRAP>
<INPUT TYPE="TEXT" NAME="userid" SIZE="8">
</TD>
</TR>
<TR>
<TH WIDTH="18%" ALIGN="RIGHT" NOWRAP>Password</TH>
<TD WIDTH="82%" NOWRAP>
<INPUT TYPE="PASSWORD" NAME="userpassword" SIZE="8">
</TD>
</TR>
<TR>
<TD WIDTH="100%" COLSPAN="2" ALIGN="CENTER" NOWRAP>
<INPUT TYPE="SUBMIT" VALUE="LOGIN" NAME="Submit">
</TD>
</TR>
</TABLE>
</CENTER></DIV>
</FORM>
</BODY>

<?
}

session_start();
if(!isset($userid)) {
login_form();
exit;
}
else {
session_register("userid", "userpassword", "status");
$username = auth_user($userid, $userpassword, $status);
if(!$username) {
session_unregister("userid");
session_unregister("userpassword");
session_unregister("status");
echo "Authorization failed. " .
"You must enter a valid userid and password combo. " .
"Click on the following link to try again.<BR>\n";
echo "<A HREF=\"$PHP_SELF\">Login</A><BR>";

  exit;

}
else echo "Welcome, $username!";
}
?>

Anon

Please have a look at my first two posts and if you have any suggestions let me know, I just can't get it to work!!

Reanna

Anon

personally I don't know why you are using a table with browse and admin in it -- I realize that you want to know whether a person is suppose to be in the admin section or not but A) I never put the admin section for a site with the site so that it cannot be located from the site. Anyone who has admin privledges will know the url so it does not have to be a link on the site. This helps a bit with security (not wise to advertise to the world that you have an admin section).

B. as soon as someone logs in with the correct name and password you can set a session variable to say admin which then you can use at the top of your page to check whether a person has logged in -- this is what Nate had suggested it had nothing to do with changing any data in the table that contains browse and admin

mistcat

Okay here is an example of one of my early attempts at the admin page login. (grin) Anyhow How this works is: the user logs in, when they are logged in we set the standard session check variable, 'authenticated' and we move on to the menu page for your admin script. Every admin page looks for the session var and if it doesn't exist redirects the user back to this log in page. This script could use some work to make it more robust, but in it covers the basics.

<?
require("func.lib");
session_start();
$_SESSION["authenticated"] = FALSE;
$form_name = "security_form";
$table = "xxxx";
$database="xxxxx";

if($POST['validate'] && (!EMPTY($POST['username'])) && (!EMPTY($POST['password'])) ){
$userName = addslashes($POST['username']);
$password = $POST['password'];
$salt = return_salt();
$password = crypt($password,$salt);
//echo "<BR>Password: " . $password . "<BR>";
$conn = db_connect() or die("No Database Connection could be made!!!!");
$query = "SELECT adminID, fullName, password FROM $table where userName = '$userName'";
//print $query . "<BR>";
$result = db_query($conn,$database,$query);
if(!$result) {
$error = "User $userName not found in database.";
} else {
$result_data = db_rows($result);
$result_data = $result_data[0];
//echo "<BR>DataBase Password: " . $result_data['password'] . "<--<BR>";
if(sizeof($result_data) == 0) {
$error = "User $userName not found in database.";
} else if(strcmp($result_data['password'],$password) === 0) {
$SESSION['authenticated'] = TRUE;
$SESSION['user_fullName'] = $result_data['fullName'];
$SESSION['user_adminID'] = $result_data['adminID'];
header("Location: http://".$SERVER['HTTP_HOST']
.dirname($SERVER['PHP_SELF'])
."/menu.php?" . SID);
exit;
} else {
$error = "Wrong Password.";
}
}

} else if ($_POST['validate']) {
$error = "Password and username must be entered for validation.";
}

$pageTitle = "Administration Page";
//$tmp = file("style.inc",TRUE);
$pageStyle= implode("\n",file("style.inc",TRUE));
/
foreach($tmp as $line) {
$pageStyle .= $line;
}
/
$pageStyle .=<<<EOT
td {
background: white;
color:black;
}
H1 {
color:#FF4455;
font-size:140%;
}
EOT;
//$pageJavascript = $javaScript;
$pageBodyTag = "onLoad=\"document.forms['".$form_name."'].elements['username'].focus();\"";
$pageMenuDisplay = FALSE;
include("adminheader.inc");
?>
<FORM NAME="<?=$form_name?>" METHOD="POST" ACTION="<? echo $_SERVER['PHP_SELF']; ?>">
<DIV ALIGN="CENTER">
<H1>User Administration</H1>
<BR>
<FONT COLOR="YELLOW"><?=$error?></FONT>
<TABLE class="dash" cellpadding="8">
<TR><TD>
<TABLE CELLSPACING="0" CELLPADDING="3">
<TR>
<TD>Username:</TD><TD><INPUT TYPE="TEXT" NAME="username" SIZE="20"></TD>
</TR>
<TR>
<TD>Password:</TD><TD><INPUT TYPE="PASSWORD" NAME="password" SIZE="20"></TD>
</TR>
<TR>
<TD COLSPAN="2"><INPUT TYPE="SUBMIT" NAME="SUBMIT" VALUE="Validate"></TD>
</TR>
</TABLE>
</TD></TR>
</TABLE>
<BR>
<INPUT TYPE="HIDDEN" NAME="validate" VALUE="1">
</DIV>
</FORM>
</BODY>