0

This first is panel.php file and second is session file and 3rd is login.php file file. I want panel.php file shows only if logged user is administrator then show only admin links and if other then show other links. i don't know what happened with this code i tried but it showing all links to all users . kindly find the error please

panel.php file

   <?php
   include('session.php');
   ?>
    <!DOCTYPE html>
   <html>
   <head>
    <title></title>
  </head>
     <body>
    <?php
          if($_SESSION['role']=='Administrator')
          { 
          ?>
       <li><a href="#">Add Publisher</a></li>
    <?php
          }else{ 
          ?>

    <li><a href="#">Mailbox</a></li>
    <?php
          } 
      ?>
     </body>
     </html>

session.php file

   <?php

    $connection = mysql_connect("localhost", "root", "");
    $db = mysql_select_db("simple_db", $connection);
    session_start();// Starting Session
    // Storing Session
    $user_check=$_SESSION['login_user'];
    $role_check=$_SESSION['role'];

    // SQL Query To Fetch Complete Information Of User
    $ses_sql=mysql_query("SELECT * FROM simple_db WHERE email_n='$user_check' ", $connection);
    $row = mysql_fetch_assoc($ses_sql);
    $login_session =$row['email_n'];

    if(!isset($login_session)){
    mysql_close($connection); // Closing Connection
    header('Location: login.php'); // Redirecting To Home Page
     }
     ?>

login.php file

<?php
            session_start(); // Starting Session
            $error=''; // Variable To Store Error Message
            if (isset($_POST['submit'])) {
            if (empty($_POST['email_n']) || empty($_POST['email_p'])) {
            $error = "Email or Password is invalid";
            }
            else
            {
            // Define $username and $password
            $email_n = $_POST['email_n'];
            $email_p = $_POST['email_p'];
            // Establishing Connection with Server by passing server_name, user_id and password as a parameter
            $connection = mysql_connect("localhost", "root", "");
            // To protect MySQL injection for Security purpose
            $email_n = stripslashes($email_n);
            $email_p = stripslashes($email_p);
            $email_n = mysql_real_escape_string($mail_n);
            $email_p = mysql_real_escape_string($email_p);
            // Selecting Database
            $db = mysql_select_db("simple_db", $connection);
            // SQL query to fetch information of registerd users and finds user match.
            $query = mysql_query("SELECT * FROM simple_db WHERE email_n='$email_n' AND email_p = '$email_p' ", $connection);
            $rows = mysql_num_rows($query);
            if ($rows == 1) {

            $_SESSION['login_user']=$email_n;
            $_SESSION['role']=$row->Role;

             // Initializing Session
            header("location: panel.php"); // Redirecting To Other Page
            } else {
            $error = "Email or Password is invalid";

            }
            mysql_close($connection); // Closing Connection
            }
            }
            ?>
MUHAMMAD UMAR GULZAR
  • 25
  • 7
  • When you ask a question about an error **ALWAYS** include the **error log**. Add `error_reporting(E_ALL); ini_set('display_errors', 1);` at the top of your `php` script, what does it return? – Pedro Lobito Apr 26 '17 at 16:19
  • Stop using the `mysql_*` functions. They have been deprecated since v5.5 (Jun 2013) and removed since v7.0 (Dec 2015). Instead use the [**mysqli_***](https://secure.php.net/manual/en/book.mysqli.php) or [**PDO**](https://secure.php.net/manual/en/book.pdo.php) functions with [**prepared statements**](https://secure.php.net/manual/en/pdo.prepare.php) and [**bound parameters**](https://secure.php.net/manual/en/pdostatement.bindparam.php). – Alex Howansky Apr 26 '17 at 16:19
  • Your code is vulnerable to [**SQL injection attacks**](https://en.wikipedia.org/wiki/SQL_injection). You should use [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) prepared statements with bound parameters as described in [**this post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). – Alex Howansky Apr 26 '17 at 16:19
  • how use mysqli ? in this? i use prepare statements – MUHAMMAD UMAR GULZAR Apr 26 '17 at 16:21
  • error_reporting(E_ALL); ini_set('display_errors', 1); it does not showing anything results is same. all links are showing – MUHAMMAD UMAR GULZAR Apr 26 '17 at 16:22
  • ? any body please help me – MUHAMMAD UMAR GULZAR Apr 26 '17 at 16:53
  • what content does the variable $admin_email_n contains? – manian Apr 26 '17 at 17:15
  • $admin_email_n its admin email address – MUHAMMAD UMAR GULZAR Apr 26 '17 at 17:20
  • But it does not have a value set from the code you posted. – manian Apr 26 '17 at 17:23
  • sorry by mistaken i wroter i have corrected please can you remove the error it showing all links to all users @manian – MUHAMMAD UMAR GULZAR Apr 26 '17 at 17:29
  • @AlexHowansky what is the error in this code? – MUHAMMAD UMAR GULZAR Apr 26 '17 at 17:39
  • **Never** store plain text passwords. You should use [`password_hash()`](http://us3.php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://us3.php.net/manual/en/function.password-verify.php) instead. If you're using a version of PHP prior to 5.5, do **not** use MD5 or SHA1 to hash passwords. Instead you can use [this compatibility pack](https://github.com/ircmaxell/password_compat). – Alex Howansky Apr 26 '17 at 17:43
  • in the in the session.php file, can you add ob_start(); at the first line & move session_start(); to the second line. Like – manian Apr 26 '17 at 17:54
  • still showing me same result – MUHAMMAD UMAR GULZAR Apr 27 '17 at 01:07

0 Answers0