0

I've been stuck trying to block access to an admin page using PHP. The PHP is below but I can't figure out which combination of statement I need to use for the permission to be selected.

When I dump my session it's always null but the email session is there. It's a simple login requiring email and password. I basically want it to also get their permission from the DB.

<?php
session_start();
include ('../config/config.php');

 /* basic field validation */
$email = trim($_POST["email"]);
$password = trim ($_POST["password"]);

/* check if details are empty, redirect if they are */
if (empty($email) or empty($password)) {
    $_SESSION["message"] = "You must enter your email and password";
    //Redirect to index
    header("Location: ../index.php");
    exit;
}
/* sanitise the input */
$email = strip_tags($email);
$password = strip_tags($password);

 /* SQL user selection query, with error handling for the SQL */
$query = "SELECT email, permission FROM users WHERE email = '$email' AND password = '$password'";
$result = mysqli_query($mysqli,$query) or exit("Error in query: $query. " . mysqli_error());

/* on query success, set sessions for email and userid */
if ($row = mysqli_fetch_assoc($result)) {
    $_SESSION["authemail"] = $email;
    $_SESSION["permission"] = $permission;
    /* redirect the user to the secured page */
    header("Location: ../loggedin.php");
    } else {
    /* display error if login was not successful and redirect to index */
    $_SESSION["message"] = "Could not log in as $email - $query";
    header("index.php");
    }
    ?>

Feel free to edit some of the text out if it isn't relavent.

RachMcrae
  • 123
  • 2
  • 10
  • 3
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) – Jay Blanchard Jan 03 '17 at 22:09
  • 4
    **Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jan 03 '17 at 22:09
  • What exactly is wrong with your code? Where did you debug your session? When was it null? And what do you mean by "email session is there"? First thing I notice is that $permission does not exist. – mtricht Jan 03 '17 at 22:10
  • Just generally printing the session like this. This is what it prints.array(2) { ["authemail"]=> string(26) "Twister-2009@hotmail.co.uk" ["permission"]=> NULL } – RachMcrae Jan 03 '17 at 22:17
  • you are not setting your $permission var as far as i can tell. you might need to declare it as a subset of the result like `$permission = $result['permission']` or something like that depending on your db values – happymacarts Jan 03 '17 at 22:18
  • How is the best way to set it and how should I be pulling it from my DB with the SQL statement? – RachMcrae Jan 03 '17 at 22:19
  • see modified comment – happymacarts Jan 03 '17 at 22:20
  • your $email is being set from the form submit not the db (may not be what you intend) as the user can set that – happymacarts Jan 03 '17 at 22:20

0 Answers0