direct user access of pages through url

Question

hi i want to block direct URL access to my pages using below php codes but if I include it to my forms I can't login even after typing my username and password it's like I'm locked out of my application. can someone help please

that's my security.php file

<?php

if(!isset ($_SESSION['user']))
{
    header ('location:user_login.php');
}

?>

and the user login file

<?php


if (isset($_POST['btnLogin']))
{
    $user = $_POST['user'];
    $password = $_POST['password'];

    //sql injection security
    $user = mysqli_real_escape_string($con,$user);
    $password = mysqli_real_escape_string($con,$password);

    //select database

    $db = mysqli_select_db($con,'nesthet');

    $query = "SELECT * from users where user='$user' AND password='$password'";
    $query_run = mysqli_query($con,$query);
    $role = mysqli_fetch_array($query_run);
        
    //user redirection base on user role

    if($role['role'] == "admin"){
       
        session_start();
        $_SESSION['user'] = $user;
        header('location: admin.php');
    }
    else if($role['role'] == "user") {
        
        $_SESSION['user'] = $user;
        header('location: mdi_parent.php');
    }
    else {
        $_SESSION['status'] = "Username or password is invalid";
        header('location: index.php');
    }
}

?>

**Warning:** You are wide open to [SQL Injections](https://stackoverflow.com/a/60496/1839439) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) — Dharman, Sep 15 '20 at 12:47
**Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) — Dharman, Sep 15 '20 at 12:48

score 2 · Answer 1 · answered Sep 15 '20 at 00:16

2

In security.php you should execute session_start() before using $_SESSION variable

<?php
if(!isset ($_SESSION['user']))
{
    header ('location:user_login.php');
}
?>

In your code, you just only start session when role is admin

if($role['role'] == "admin"){
    session_start();
    $_SESSION['user'] = $user;
    header('location: admin.php');
}
else if($role['role'] == "user") {
    
    $_SESSION['user'] = $user;
    header('location: mdi_parent.php');
}
else {
    $_SESSION['status'] = "Username or password is invalid";
    header('location: index.php');
}

answered Sep 15 '20 at 00:16

InYeopTTi

924
6
9

which i have have to start session for bother users admin and normal user right – Kalifa Sanneh Sep 16 '20 at 03:21
all of them, if you want to use $_SESSION variable – InYeopTTi Sep 17 '20 at 04:03

direct user access of pages through url

1 Answers1