konfused Posted November 22, 2012 Share Posted November 22, 2012 Please would you save me from going crazy. The attached login code is HTML5, it has one feature missing i.e., the ability to login to either the admin page or the members' page using the user_level of the administrator (level 1) or the ordinary member (level 2). I have tried so many different solutions but they all create havoc with the page. For the moment I have arranged that it allows anyone to login to the admin page. I am sure there is a simple solution but I am now too confused to find it. I need an uncomplicated snippet of code with instruction on where to insert it on the page. Here's hoping you can help me. <!doctype html> <html lang=en> <head> <title>The Login page</title> <meta charset=utf-8> <link rel="stylesheet" type="text/css" href="includes.css"> </head> <body> <div id="container"> <?php include("reg-login-header.php"); ?> <?php include("nav.php"); ?> <?php include("info-col.php"); ?> <div id="content"><!-- Start of the login page content. --> <?php // This section processes submissions typed into the included login form. // Check if the form has been submitted: if ($_SERVER['REQUEST_METHOD'] == 'POST') { //connect to database require ('mysqli_connect.php'); // Validate the email address: if (!empty($_POST['email'])) { $e = mysqli_real_escape_string($dbcon, $_POST['email']); } else { $e = FALSE; echo '<p class="error">You forgot to enter your email address.</p>'; } // Validate the password: if (!empty($_POST['psword'])) { $p = mysqli_real_escape_string($dbcon, $_POST['psword']); } else { $p = FALSE; echo '<p class="error">You forgot to enter your password.</p>'; } if ($e && $p){//if no problems // Retrieve the user_id, first_name and user_level for that email/password combination: $q = "SELECT user_id, fname, user_level FROM users WHERE (email='$e' AND psword=SHA1('$p'))"; $result = mysqli_query ($dbcon, $q) or trigger_error("Query: $q\n<br>MySQL Error: " . mysqli_error($dbcon));// Run the query. // Check the result: if (@mysqli_num_rows($result) == 1) {//The user input matched the database rcoord // Fetch the record and insert the three values in an array // Set the session data: session_start(); $_SESSION = mysqli_fetch_array ($result, MYSQLI_ASSOC); //I TRIED MANY SOLUTIONS AND INSERTED THEM HERE mysqli_free_result($result); mysqli_close($dbcon); // Redirect the user, temporary solution $url = 'admin-page.php'; ob_end_clean(); // Delete the buffer. header("Location: $url"); exit(); // Quit the script. } else { // No match was made. echo '<p class="error">The email address and password entered do not match our records. <br>Perhaps you need to register, just click the Register button on the header menu</p>'; } } else { // If there was a problem. echo '<p class="error">Please try again.</p>'; } mysqli_close($dbcon); } // End of SUBMIT conditional. ?> <!-- Display the form fields--> <?php include ('login_page-new.inc.php'); ?> </div> </div> </body> </html> Link to comment Share on other sites More sharing options...
HartleySan Posted November 23, 2012 Share Posted November 23, 2012 First and foremost, after the $_SESSION = mysqli_fetch_array ($result, MYSQLI_ASSOC); line, write the following to ensure that the session array is indeed the structure you are expecting: echo '<pre>'; print_r($_SESSION); echo '</pre>'; Once you're sure you have what you want, you can erase the above and replace it with the following: $_SESSION['user_level'] = (int) $_SESSION['user_level']; // Changes the 1 or 2 user level to an integer. $url = ($_SESSION['user_level'] === 1) ? 'admin-page.php' : 'member-page.php'; // Ternary operation to set the URL header('Location: ' . $url); // Makes the actual page jump. Keep in mind that $url is a relative path. exit(); // Cancels the rest of the script. Does that get you what you want? 1 Link to comment Share on other sites More sharing options...
konfused Posted November 23, 2012 Author Share Posted November 23, 2012 Thank you very much indeed, that worked brilliantly. I was beginning to have dreams about error messages. I may come back to you regarding using sessions to prevent access to the members page and admin page unless the user is logged in. Best wishes Link to comment Share on other sites More sharing options...
Antonio Conte Posted November 24, 2012 Share Posted November 24, 2012 You have the code for that already. Just redirect users without a user id to the login page. Link to comment Share on other sites More sharing options...
konfused Posted November 24, 2012 Author Share Posted November 24, 2012 Thank you for your prompt reply. Yes the code is already in place, however I apologise for not explaining properly. Imagine that the administrator or a member accesses the appropriate page and then moves away from his desk to get a hotdog. Some mischevious individual could make a note of the URL in the browser address field and then access the page . I need to learn how to pevent that by invoking the session data on the member's page and on the admin page. The session should somehow stop the mischief maker from accessing the page. Based on my login page, how do I do that? Link to comment Share on other sites More sharing options...
Antonio Conte Posted November 24, 2012 Share Posted November 24, 2012 As I said, you know how to do that: // Place this where the page requires admin level if ( ! isset($_SESSION['user_level'] or $_SESSION['user_level'] != 1 ) { header("Location: login-page.php"); exit(); } // Place this where the page requires user level if ( ! isset($_SESSION['user_level'] or $_SESSION['user_level'] != 2 ) { header("Location: login-page.php"); exit(); } Just think about what values the session holds. You can of course utilize that in several ways with very, very little logic. Link to comment Share on other sites More sharing options...
konfused Posted November 25, 2012 Author Share Posted November 25, 2012 Many thanks Antonio It all works fine now, Best wishes Link to comment Share on other sites More sharing options...
Recommended Posts