• Howdy! Welcome to our community of more than 130.000 members devoted to web hosting. This is a great place to get special offers from web hosts and post your own requests or ads. To start posting sign up here. Cheers! /Peo, FreeWebSpace.net
managed wordpress hosting

User Restriction

iBrightDev

iBrightDev

Jay Street
NLC
NLC
I am currently using the following code to make sure a user is logged in before they can view the admin area. This code goes in the admin.php file, and any other page that is in the admin panel.

PHP: 
session_start();

if(!isset($_SESSION['loggedin'])) {
   header('Location: http://www.workperkaz.com/admin/index.php?error=1');
   exit();
}

and here is the file i use to process the login. after they click submit for entering from the login area, it will process the login information.

PHP: 
<?php
session_start();

include('includes/phpconnect.php');
//$dbHost = ""; // Database Connection Details - host
//$dbUser = ""; // Database Connection Details - username
//$dbPass = ""; // Database Connection Details - password
//$dbname = ""; // Database Connection Details - database name

$username = $_POST['username'];
// Stores our inputted data in these variable names

$password = $_POST['password'];
// Stores our inputted data in these variable names

//$db = mysql_connect($dbHost,$dbUser,$dbPass); // Connection Code
mysql_select_db ("DATABASE NAME GOES HERE"); // Connects to database

$query = "SELECT user, pass FROM login WHERE user = '$username' AND pass = '$password'";
$result = mysql_query($query);
if(mysql_num_rows($result)) {
$_SESSION['loggedin'] = 1;
  //header('Location: http://www.workperkaz.com/admin/admin.php');
 include("admin.php");
exit(); }
else {
   //header('Location:http://www.workperkaz.com/admin/index.php?error=1');
   echo '<div align="center">Invalid login data supplied. Please try again.</div>';
   include("index.php");
   exit(); }

?>

my question is, how can i make it so if a certian user logs in, say "guest", and that it is limited to only view the areas of the site, but to be able to actually submit any info, delete any info, or anything like that?
 
Last edited:
implement user level system, use enum mysql cells to set / select the level and switches for content / menus for each
 
PHP: 
$user = mysql_query("SELECT * FROM `user_db` WHERE `username`='$_SESSION[username]'");
$loggedin = mysql_fetch_array($user);

if ($user[level] == "Guest") {
header("Location: guestarea.php");
} elseif($user[level] == "Admin") {
header("Location: admin.php");
}

I haven't tested that... but that's just an example of telling if the user is admin or guest. ENUM does work, but there are other ways too :p

You can use Varchar for level, or ENUM
 
stuffradio said:
PHP: 
$user = mysql_query("SELECT * FROM `user_db` WHERE `username`='$_SESSION[username]'");
$loggedin = mysql_fetch_array($user);

if ($user[level] == "Guest") {
header("Location: guestarea.php");
} elseif($user[level] == "Admin") {
header("Location: admin.php");
}

I haven't tested that... but that's just an example of telling if the user is admin or guest. ENUM does work, but there are other ways too :p

You can use Varchar for level, or ENUM
Click to expand...

i like that this seems simple, but where should i put it in my code?
 
put it either in your login script or the place that you get directed to after you go to the login place
 
ok, thanks Carl.

*edit
this only problem with the one you gave is that i have to make a second admin panel where you cant do anything. i just want to restrict the guest user from doing anything that could change the page, but would like to let them see everything. is there a way i can just do this with the session somehow. just tell it is 1 then allow everything, or if it is 2, then allow viewing, but no submitting anything or deleting anything.
 
Last edited:
in your login script where you have the if mysql_num_rows under that put
that in your login script, under the mysql_num_rows part.. than it'll redirect them where appropriate
 
stuffradio said:
in your login script where you have the if mysql_num_rows under that put
that in your login script, under the mysql_num_rows part.. than it'll redirect them where appropriate
Click to expand...

no, i understand that, but i dont want to have to make a second page to redirect them to. isn't there just a way to block them?
 
Yeah, if these people that are "guests" are not actual users.. or something another thing you can do is...

PHP: 
if (!$user[level] == "Admin") {
die("You don't have enough permissions.");
}
 
KRAK_JOE said:
implement user level system, use enum mysql cells to set / select the level and switches for content / menus for each
Click to expand...

please elaborate a little bro. i provided enough code so that someone with your knowledge could hopefully add a little something to my code to do what i am trying to do. and tell me what to add to the db where the accounts are listed. thanks in advance if you are able to help.
 
Well it requires a little more than just adding some code to your page.

Firstly, add a field to the user table, I'll be referring to that as user_level.

Secondly, I'll assume you have written a trigger_error function, which grabs a generic error page or die()'s, I'll refer to that as trigger error.

So, here's how I think you should do it:

For every page / function, probably function that you write, at the top do something like

if(USER_LEVEL < REQUIRED)
{
trigger_error("Insufficient privileges");
}

REQUIRED will change for each function.

So for level say 3 there would be admin, giving them the ability to run everything that the application has to offer, and then on 2 activated members, on 1 registered users and on 0 guests.

Hopefully that'll explain it a little better.
 
that explains a little. here is where i am going with all of this. i simply want to have user_lever be 1 for admin level, and 0 for guest/demo users. there arent any actual members fo the site. right now, there ae two users, one being the client, and the other is me, this way i can help them when needed without remembering their info. i want to be able to show future clients what an admin area is, and have them surf around it, but dont want them to be able to actually edit anything. is this really possible?
 
i'm making such a system too

what you have to do is:
PHP: 
ob_start();

If($loggedin == 1)
{
	header("Location: index.php");
}
Else //code for register.php or not no access or something

a bit of my code:
PHP: 
{
	echo top("loggin");

	If($_SERVER['REQUEST_METHOD'] == "POST")
	{
		$query 	= @mysql_query("SELECT id,username,password,regels FROM red_users WHERE gebruikersnaam='" . $_POST['nick'] . "' AND activatie='ja'")or die(mysql_error());
		$list 	= mysql_fetch_assoc($query);

		If (!$_POST['nick'] || !$_POST['pass'])
		{
			echo "field username and password is required";
 		}
		ElseIf (mysql_num_rows($query) == 0)
		{
			echo "".html(stripslashes($_POST['nick']))." is not in database";
		}
		ElseIf ($list['wachtwoord'] != md5($_POST['pass']))
		{
			echo "password dont match for this user";
		}
		Else
{
			If($_POST['tijd'] == "year")
			{
				$lengte = 60*60*24*365;
			}
			ElseIf($_POST['tijd'] == "Month")
			{
				$lengte = 60*60*24*31;
			}
			ElseIf($_POST['tijd'] == "Week")
			{
				$lengte = 60*60*24*7;
			}
			Else
			{
				$lengte = 60*60*24;
			}

			@mysql_query("DELETE from red_online WHERE ip='".$REMOTE_ADDR."'");

			setcookie("gebruikersnaam", $list['user'], time() + $lengte, "/");
			setcookie("wachtwoord", $list['password'], time() + $lengte, "/");
			setcookie("id", $list['id'], time() + $lengte, "/");
Else
			{
				header("Location: index.php");
			}
i dont know myself if i'm using right functions and stuff i'm learning myself.
 
But then, he only wants users with admin level access to do things but wants everyone to be able to look around and not to be able to acutally do anything but to look around.
 
brutetal said:
But then, he only wants users with admin level access to do things but wants everyone to be able to look around and not to be able to acutally do anything but to look around.
Click to expand...

that is correct. i want to just create an account witht the name demo, and password demo, and make it so they can look around the admin panel to see how it would function, but only allow admin people to make changes. i am not making a user registrartion part, and members do not sign up. so, finally someone understands what i want, now, can anyone help me accomplish this task?
 
then download oneadmin and edit it to check suite your site. or learn from the code that way you know your script is save against sql injections
 
redboyke said:
then download oneadmin and edit it to check suite your site. or learn from the code that way you know your script is save against sql injections
Click to expand...

i have no clue what you are trying to say here. also, i am not mentioning anything about sql injection. i know my script. :S
 
I thought it was like this,
Just example:

PHP: 
<?php

if ($_SESSION['group_id'] == 'admin'){

// Do whaterver is intended to do.

}else{
Print 'Error: You do not have access.';
};

?>

and $_SESSION['group_id'] = the group ID for the current member saved the a session variable.
That's how I would personally do it.
 
brutetal said:
I thought it was like this,
Just example:

PHP: 
<?php

if ($_SESSION['group_id'] == 'admin'){

// Do whaterver is intended to do.

}else{
Print 'Error: You do not have access.';
};

?>

and $_SESSION['group_id'] = the group ID for the current member saved the a session variable.
That's how I would personally do it.
Click to expand...


if i do that, do i need to get rid of this code
PHP: 
session_start(); 

if(!isset($_SESSION['loggedin'])) { 
   header('Location: http://www.workperkaz.com/admin/index.php?error=1'); 
   exit(); 
}
or, just add it after the session start?
 
You must log in or register to reply here.
Back
Top