1

I posted a similar post of this whith a different code, but changed it a little now, and did not get an answers that I was hoping for (the answers did not help me much). I hope this is Ok, tell me if it is not. :)

I have been trying to make a page protection for the Administrator page, and I can not get it to work. I am sure this would not have been a problem if I was not new to PHP coding, hehe.

When a normal user with the type '0' is trying to access the administrator page, index_admin.php, the user will get redirected to the normal user page, index.php. And if the user have the type '1', then the user/admin will stay on the page.

Here is the code I have been trying to get working. (This file is required in index_admin.php and it is called index_admin_check.php).

index_admin_check.php :

<?php
    session_start();
?>

<?php
    $vert = "localhost";
    $brukarnamn = "root";
    $passord = "";
    $db_namn = "nettsidebunad";
    $tbl_namn = "kunde_register";

    // Connection to the MySQL database.
    mysql_connect("$vert", "$brukarnamn", "$passord") or die ("Kan dessverre ikkje koble til databasen.");
    mysql_select_db("$db_namn") or die ("Kan ikkje finna den ynkjande databasen.");
?>

<?php
if (isset($_SESSION['mittbrukarnamn'])) {

    $sql1 = "SELECT `type` FROM $tbl_namn";
    $rad1 = mysql_query($sql1);
    $type1 = mysql_fetch_row($rad1);

    if ($type1 == 0) {
        echo "You do not have access to this page.";
        //header("location: index.php");
    } else {
        echo "You have access to this page.";


    }
}
?>

Some of this text is in norwegian.

$vert = $host (in english)

$brukarnamn = $usernamn (in english)

$passord = $password (in english)

$db_namn = $db_name (in english)

$tbl_namn = $tbl_name (in english)

$_SESSION['mittbrukarnamn'] = $_SESSION['myusername'] (in english)

Zoe
  • 27,060
  • 21
  • 118
  • 148
ravo10
  • 895
  • 9
  • 18
  • 2
    Don't use the `mysql_` family of functions for new code. These functions are deprecated, due to be removed from PHP, and are unsafe and open to SQL Injections. Instead, use parameterized queries using either [MySQLi](http://php.net/manual/en/book.mysqli.php) or [PDO](http://www.php.net/manual/en/book.pdo.php). – Ian Atkin Feb 03 '13 at 17:59

2 Answers2

1

Your SQL query is selecting all rows, because you don't have a WHERE clause. So, when you call mysql_fetch_row, it fetches the first row only.

You need to check the type of the user currently logged in

$sql1 = "SELECT `type` FROM $tbl_namn WHERE <user_name> = '$_SESSION[mittbrukarnamn]'";

Another suggestion would be to not use MYSQL, but MYSQLi, or PDO for database operations, since MYSQL is not maintained any more by PHP and will be deprecated completely in PHP 5.5.0. Some of MYSQL functions are deprecated already.

Edit : There's another problem in your code. mysql_fetch_row returns an array, so you will need to retrieve the value from your array.

if($type1['type'] == 0)

instead of

if($type1 == 0)
Achrome
  • 7,773
  • 14
  • 36
  • 45
  • = `fornamn` Hmm.. So I took your line of code that you edited: " `$sql1 = " SELECT type FROM $tbl_namn WHERE fornamn = '$_SESSION[mittbrukarnamn]'"; `" and I also tried: " `$sql1 = "SELECT fornamn, type FROM $tbl_namn WHERE fornamn = '$_SESSION[mittbrukarnamn]' `"; " and tried it, but it seems like that the number in the if statement doesn't care if the user is '1' or '0' as these seems to only turn on and off the if statement. Hmm... wierd. – ravo10 Feb 03 '13 at 19:46
  • Oh, I used as a template, as I didn't know the exact column name where the user name is stored. You will have to replace with the actual column name. – Achrome Feb 03 '13 at 19:47
  • I could not edit it anymore, hehe. So I posted it again: = `fornamn` and `fornamn` = `username` (in english) Hmm.. So I took your line of code that you edited: " `$sql1 = " SELECT type FROM $tbl_namn WHERE fornamn = '$_SESSION[mittbrukarnamn]'"; `" and I also tried: " `$sql1 = "SELECT fornamn, type FROM $tbl_namn WHERE fornamn = '$_SESSION[mittbrukarnamn]' `"; " and tried it, but it seems like that the number in the if statement doesn't care if the user has the type '1' or '0' as these seems to only turn on and off the if statement. Hmm... wierd. – ravo10 Feb 03 '13 at 19:52
  • Aha, Ok. I will try that :) *edited: I ment that `fornamn` is the colum name where all the usernames/firstnames are under. I edited it a few times, so maybe it did not show up, hehe. :D – ravo10 Feb 03 '13 at 20:00
  • I also spotted another problem in your code, so updated my answer to reflect that. – Achrome Feb 03 '13 at 20:02
  • Aha, Thank you. It is so wierd. So one of my users has the `type` `1` and even if the `if` statement is set to display the message `"You do not have access to this page."` only when the user has the type `0`, it displays it the whole time. I have no idea what the problem is :S – ravo10 Feb 03 '13 at 20:14
1

As I seem to be answering with a lot today, I have an admin panel on github that seems to answer a lot of common questions about php logins. In your case, you would simply fetch type from your database and use that. Note that you must provide the WHERE statement in your SQL otherwise you will not have that user's information. You will have every piece of it in that table.

The following makes use of prepared queries. mysql_* functions are deprecated (no longer supported; see this SO question)

function get_user_array() {
    /* Does all of the heavy lifting for getting user stats. */
    $db = new db(); // where db() is an abstraction class that implements mysqli and adds login details.
    if (isset($_SESSION["id"])) {
        $sid = $_SESSION["id"];
        if ($query = $db->prepare("SELECT id, name, status FROM `users` WHERE id=?")) {
                $query->bind_param("i", $sid); // i = integer
                $query->execute();
                $query->bind_result($id, $name, $status);
                $query->fetch();
                $query->close();
                $db->close();
                return array("name" => $name, "status" => $status, "id" => $id);
        } else {
            return false;
        }
    } else {
        return false;
    }
}

My suggestion is also to use a user id, and find everything from the database. That way, if their username changes, the whole site doesn't blow up on their page load.

The actual comparison would be:

$user = get_user_array();
if (@$user["type"] != 'admin') { // @ error-handling will make it NULL anyway.
    header("Location: index.php"); // note: this must be sent BEFORE any output!
}

And the fast comparison to check if a normal user is logged in (if logged_in(), for instance):

$user = get_user_array();
if (!@$user["id"]) { // continue only if logged in
    // not logged in handle
}

Note: db() is this class (it is great to override the mysqli public functions to shorten code in the long run, provided you call the parent):

class db extends mysqli {
    public function __construct($a = DB_HOST,
                                $b = DB_USER,
                                $c = DB_PASS,
                                $d = DB_NAME,
                                $persistent = true) {
        if ($persistent) {
            parent::__construct("p:" . $a, $b, $c, $d);
        } else {
            parent::__construct($a, $b, $c, $d);
        }
    }
}
Community
  • 1
  • 1
Amelia
  • 2,967
  • 2
  • 24
  • 39
  • Wow, thank you; that was allot of good information. I will look at it closer. Thanks again. :) – ravo10 Feb 03 '13 at 19:41
  • I am installing a mysql - mysqli converter (a built in converter). Do you think that it will convert it properly? It is called "E++". – ravo10 Feb 03 '13 at 20:37
  • I can't give any guarantees that it will or will not work, since i haven't heard of it. You could probably try (but back up first). – Amelia Feb 03 '13 at 20:38
  • One of my users has the type `1` and even if the `if` statement is set to display the message `"You do not have access to this page."` only when the user has the type `0`, it displays it the whole time. Do you know why this happens? – ravo10 Feb 03 '13 at 21:50
  • `1` and `0` are boolean-like (`0 == false` but `0 !== false`, etc.) – Amelia Feb 03 '13 at 21:52
  • Mhm, still doesn't work. Do you have any other idea what it can be? – ravo10 Feb 03 '13 at 22:24