0

The title says it all. How would I go about only letting the usertype "Admin" access certain pages in my PHP project? To summarize, I have a "usertype" section in my sql database that assigns either the User role (default) or the admin role (created by Admins in the user management section). The thing is, 1. In my side menu, I do not want regular users to see the admin section where it lists all the admin modules (user management, about us editing page) and 2, I do not want regular users to be able to access those admin pages. Can somebody please help me with this? I've been stuck on it for a while.

This is my side-menu code:

<div id="layoutSidenav">
        <div id="layoutSidenav_nav">
            <nav class="sb-sidenav accordion sb-sidenav-dark" id="sidenavAccordion">
                <div class="sb-sidenav-menu">
                    <div class="nav">
                        <div class="sb-sidenav-menu-heading">Standard</div>
                        <a class="nav-link" href="dashboard.php">
                            <div class="sb-nav-link-icon"><i class="fas fa-tachometer-alt"></i></div>
                            Dashboard
                        </a>
                        <a class="nav-link" href="surf.php">
                            <div class="sb-nav-link-icon"><i class="fas fa-plane"></i></div>
                            Surf Freely
                        </a>
                        <a class="nav-link" href="chat.php">
                            <div class="sb-nav-link-icon"><i class="fas fa-comments"></i></div>
                            Chat
                        </a>
                        <div class="sb-sidenav-menu-heading">Admin</div>
                        <a class="nav-link" href="register.php">
                            <div class="sb-nav-link-icon"><i class="fas fa-users"></i></div>
                            User Management
                        </a>
                    </div>
                </div>
                <div class="sb-sidenav-footer">
                    <div class="small">Logged in as:</div>
                    <?php
                    echo $_SESSION['username'];
                    ?>
                </div>
            </nav>
        </div>

I do not want users with the usertype "User" accessing this part of the navbar:

<div class="sb-sidenav-menu-heading">Admin</div>
                        <a class="nav-link" href="register.php">
                            <div class="sb-nav-link-icon"><i class="fas fa-users"></i></div>
                            User Management
                        </a>

Here is my security file (the file that prevents logged in users from accessing certain pages):

<?php
session_start();
include('includes/dbconfig.php');

if(!$_SESSION['username']) {
    header('Location: login.php');
}
?>

Login code:

if (isset($_POST['login_btn'])) {
    $email_login = $_POST['email'];
    $password_login = $_POST['password'];

    $query = "SELECT * FROM register WHERE email='$email_login' AND password='$password_login' LIMIT 1";
    $query_run = mysqli_query($connection, $query);
    $usertypes = mysqli_fetch_array($query_run);
    if ($usertypes['usertype'] == "Admin") {
        $_SESSION['username'] = $email_login;
        header('Location: dashboard.php');
    } else if ($usertypes['usertype'] == "User") {
        $_SESSION['username'] = $email_login;
        header('Location: dashboard.php');
    } else {
        $_SESSION['status'] = "Email / Password is Invalid";
        header('Location: login.php');
    }
}
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
LoveCenti
  • 7
  • 3
  • 1
    in the `login.php`, when the user login successfully, you can store the `usertype` into `$_SESSION["usertype"]` for example, then in `side-menu`, if the `$_SESSION["usertype"] == "admin"`, show your html code, else dont show anythings. – GNassro Aug 20 '20 at 03:57
  • I edited my post so the login code is at the bottom. How would I do this using my current login code? Sorry, I'm a little new. – LoveCenti Aug 20 '20 at 04:58
  • for exemple this is your login [code](http://sandbox.onlinephpfunctions.com/code/2f1a335be8707e9194a500533e0915d8ebe8a9fe), and this is your side-menu [code](http://sandbox.onlinephpfunctions.com/code/1a7843b1c3531dedbf65d0ce593f3094424c9c85) – GNassro Aug 20 '20 at 05:25
  • 1
    **WARNING**: your code is open to SQL injection, you must use MySQLi or PDO, and use parameterized prepared statements instead of manually building your queries. – GNassro Aug 20 '20 at 05:33
  • I am REALLY sorry to bother you again, but can you explain to me how to use PDO/Mysqli? – LoveCenti Aug 20 '20 at 05:50
  • you can learn it from the documentation of PHP [Mysqli](https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) / [PDO](https://www.php.net/manual/en/pdo.prepare.php), you can find a good Tutorial in Youtub – GNassro Aug 20 '20 at 06:11
  • ok, thank u for this – LoveCenti Aug 20 '20 at 06:23
  • **Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) – Dharman Aug 20 '20 at 11:41

1 Answers1

1

Find login code

$_SESSION['username'] = $email_login;

Add after

$_SESSION['usertype'] = $usertypes['usertype'];

front-side

<?php if($_SESSION['usertype']=="Admin"){?>
...ur html code 
<?php }?>
vahdetcaliskan
  • 11
  • 1