I have a PHP project with user account status in the database. It contains status such as active, inactive, suspended etc. I need an if statement in the index page that can Restrict access to a particular page or link if the account is set to inactive.
Your response is great appreciated. Thank you in advance
If you wanted to prevent links to certain pages from showing to users that didn't have a status of active, you might do something like this:
<!-- Non active state links -->
About us
Contact us
<!-- Active state only link -->
<?php
if($user->status === 'active'){
echo 'My Account';
}
?>
Then on each of the restricted pages themselves, you might do something like this:
<?php
if($user->status !== 'active'){
echo "Forbidden!";
die();
}
*** The rest of your code here ***
?>
To prevent access to a particular page, you need the logic to be present on that page, you can't control who can access what solely from the index page.
I suppose you are using Native PHP:
At the file which contains the code you want to restrict:
<?php
if(!$myUser->isActive){ //User is not active
header(File you want to redirect in case is not active.php)
}
Related
how do i create the below php that the user stays on the index page after logging in ? It seems it will direct the user to the logonprocess.php after clicking the submit button.
I'm also trying to find out how will the logout button appear after the user login successfully. The logout will also need to work the same as login which will stay on the same page.
I have read that ajax was one way but i have not yet read or understand ajax. I'm still trying to learn on the php portion first.
Index.php
<?php
ini_set("session.save_path", "sessionData");
session_start();
?>
<?php if (!isset($_SESSION['uName'])) { ?>
<form method="post" action="logonProcess.php">
<div>Username <input type="text" name="userName" placeholder="Username"></div>
<div>Password <input type="password" name="pwd" placeholder="Password"></div>
<div><input type="submit" value="Logon"></div>
</form>
<?php } else { }?>
<?php if (isset($_SESSION['uName'])) {
$username = $_SESSION['uName'];
echo "<p>Welcome $username</p>\n";
?>
Logout
<?php } else { }?>
Logout.php
<?php
session_start();
if(session_destroy()) // Destroying All Sessions
{
header("Location: index.php"); // Redirecting To Home Page
}
?>
At the end of your logonProcess.php file:
header('Location: index.php');
If you login from different pages use the $_SERVER['HTTP_REFERER'] variable.
header('Location: ' . $_SERVER['HTTP_REFERER']);
If you want to redirect somewhere after a certain script has been executed you could ofcourse always use PHP's header() function which allows you to specify a Location which would look like this
header('Location: index.php');
After that your part two of the question is "How do I remove the logout button when the user login successfully?" I think with login you must mean logout since you'll want to be able to actually logout once logged in.
To do this you check wether or not a $_SESSION
A $_SESSION in PHP is simply an array containing values that are remembered across page reloads so as you can imagine - it is a very good place to store your user ID.
The reason that usually just an ID is saved is so that while a hacker might still be able to compromise your users' cookie he / she will not be able to see any data he / she shouldn't have like a password, email address, phone number etcetera so all damage done will be on the website itself, not the users personal life ^.^
When you create a $_SESSION in PHP you simply set it in your logonProces.php file after all the authentication checks for the user passed.
This would look something like this (semi-psuedo code)
if ($user_verified_in_db) {
$_SESSION['user'] = $user['ID']; //note - non of this will probably exist yet in your script, DONT use it its an EXAMPLE.
header('Location: index.php');
}
The above snippet should be placed somewhere appropiate in the procesLogon.php file so that the session will be set.
Now in HTML you'll have a link somehwere right?
Logout
Imagine that is your link being displayed somewhere on the page, now what you want to do is check if the $_SESSION['user'] is set using isset().
Your code would look something like this:
<?php if (isset($_SESSION['user'])) { ?>
Logout
<?php } ?>
this will check if the session is set or not, if it isn't set it won't display the link, if it is it will since you'll need an option to logout.
NOTE this is psuedo code - you still have to build this construction using your variables and your login script, my tiny piece of code doesn't do anything for you at that except show you an example of how this is commonly handled.
Good luck!
EDIT (5-11-2015)
As per the comment of the OP,
If you want to hide items in general, like the logout link example above, all you have to do is wrap the divs you want to hide in the if statement.
e.g.
<?php if (isset($_SESSION['user'])) { ?>
<!-- this can be any HTML element showing stuff for logged in users. -->
<?php } ?>
when you wrap elements within this if statement - if you check the expression: isset($_SESSION['user']) - it will evaluate to true if $_SESSION['user'] is set which you are in your login script.
You can keep reusing this check whenever and wherever you need to show / hide elements from the user.
if you would put a ! (exclamation mark) in front of the expression so that it turns out like this: !isset($_SESSION['user']) you reverse the process so if you have the following statement
<?php if (isset($_SESSION['user'])) { ?>
<!-- everything here is shown when user is logged in -->
<?php } else { ?>
<!-- everything here is shown when user is logged out -->
} ?>
this is the positive if check checking if your user is logged in or not, you can decide to put in the else for what to do when the user isn't logged in but you can also modify the expression slightly to reverse or invert the situation e.g.
<?php if (!isset($_SESSION['user'])) { ?>
<!-- everything here is shown when user is logged out -->
<?php } else { ?>
<!-- everything here is shown when user is logged in -->
} ?>
for instance. This will allow you to gain control over what users see on your webpages, use them whenever you need to show or hide something.
Also note that the else clause is ofcourse, optional and doesn't have to be included, you can use the ! example without the else as well as the one without the exclamation mark.
You can put this code end of php file logonprocess.php too.
echo "<script>window.location='index.php'</script>"
You will have to add the echo "<script>window.location=\'index.php\'</script>" to an if/else statement within your logonProcess.php so that once they "submit" the information it processes and redirects to index.php.
I want to display this text link, <p>Click here to register.</p> in the body of a larger block of text on a page and but I want the link to show up when some is logged in. I want to use php conditional to show this other link when someone is instead anonymous on the site,
<p>You need to login before you can register. Please Click here to login.
I want a code like:
<?php
if user=="logged-in";
echo "<a href ='register'>Click here to register.</a>";
else echo "<a href ='login'>Click here to login.</a>"
?>
I know I must not have written perfect php but I do not have problems with the php, what I need is the Drupal syntax for if user == "logged-in" and if user == "not-logged-in".
I do not want to use a block and start setting visibility by role. I want to use code as described.
Thanks.
See the docs
You want something like this. Both of your link descriptions need some work though. What you'd most likely want to do is display both the register and the login link to anonymous users.
<?php
if (user_is_logged_in()){
//user is logged in
}
else{
//user is not logged in
}
?>
I'm trying to create a 'Back To Search Results' link in order to go back to the previous page.
Basically you can perform a search, and afterwards go into a single-post page. In this page I'd like to create the link.
I tried :
<?php
$url = htmlspecialchars($_SERVER['HTTP_REFERER']);
echo "<a href='$url'>back</a>";
?>
But it only send you back to the previous page (let's say someone got to the website from google...then it would take him back to google I suppose.)
Any ideas?
Thanks!
'HTTP_REFERER'
The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.
Source: http://www.php.net/manual/en/reserved.variables.server.php
So you should think of another way to re-create the URL. Try to send the URL as a POST variable with the Search you are performing. Then you can simply read it from $_POST.
At the end I managed to do it with a $_SESSION variable:
On the page that loads after clicking search (usually archive.php or similar) I added this code before the footer:
<?php
if (isset($_SERVER["REQUEST_URI"])) {
$_SESSION['url'] = $_SERVER["REQUEST_URI"];
}
?>
Then, I added to the single page the code bellow:
<div class="back-to-search">
<?php if (isset($_SESSION['url'])) : ?>
Back To Search
<?php else: ?>
Back To Search
<?php endif;?>
</div>
So basically if the $_SESSION is set from the search results, it takes you back to the results. If not (for example if you arrived directly from google etc.) The link will redirect to the homepage (where all the listings appear by default)
I want to show different div with different contents in different condition.
If customer is logged in, then show content A,
If customer is not logged in, then show content B,
This is the script I have, not sure it is correct or not.
<?php if (!$logged) {
$disp_div=1;
} else {
$disp_div=0;
} ?>
This is the jQuery
<script type="text/javascript" >
$(document).ready(function(){
var show=<?php echo $disp_div; ?>
if(show==1)
{
$('#div_logged_in').show();
$('#div_not_logged_in').hide();
}
else if(show==0)
{
$('#div_logged_in').hide();
$('#div_not_logged_in').show();
}
});
This is the HTML
<div id="div_logged_in">
Content A
</div>
<div id="div_not_logged_in">
Content B
</div>
A: Why !$logged is wrong:
You use a local variable. Next time your user refreshes the page he won't be logged in anymore. For that you can store variables in a array called $_SESSION . This array is saved for a client session on you webserver. As longs as the user stays there it will always remain the same (until YOU change it). For that you need a session_start(); in the first line of you main PHP script.
B: Why the javascript part is a security leak:
Your website is designed not to filter the content that is sended to the user. Every user gets the whole content, just the visibility is changed. In this way every advanced user can just look into your code and see all the secrets you want to hide.
C: What is the right way?
It just some PHP that echos HTML without Javascript and uses $_SESSION:
<?php
if($_SESSION["loggedIn"] == "yes") { //You have to set that somewhere else just like $logged
?>
<p> You ARE logged in. </p>
<?php } else { ?>
<p> You ARE NOT logged in. </p>
<?php
}
?>
I don't know what is $logged. If it is the variable to find whether the user is logged in, then your condition is just opposite of your requirement. You are showing div_logged_in when the user is not logged in from this condition.
if(show==1)
{
$('#div_logged_in').show();
$('#div_not_logged_in').hide();
}
The value of show will be 1 when $logged is false. So change the condition and you will get it. In this scenario, i would suggest you to go with SESSIONS. You can use anywhere to check whether the user is logged in or not.
First off, you need to start reading about sessions and the $_SESSION superglobal.
After that, throw that script away, and look for a proper tutorial, I found a very nice one here: http://net.tutsplus.com/tutorials/php/a-better-login-system/ - though it may be a bit advanced since it talks about ACL, which you probably won't need.
But if you can try and understand the rest of the tutorial, you should be fine. Good luck!
Please do not depend on client-side validation because its a security flow within your application, what if the customer viewed the source code for your page? then they see hidden contents.
Your approach is correct but you have to use $_SESSION or $_COOKIE not if (!$logged) and as I said, do not out put the content totally.
use
if($_SESSION["username"])
you can set it in the login.php file
and destroy it by using session_destroy() on the logout.php
My question is about how do I place a link on the side of every page that leads to the admin page once someone has logged on to my application successfully? I have a sample site I just built, and I would like a link to the admin page available in the navigation column to the right of the page which is displayed site-wide. But if the person is not logged in, they don't see the link, but will continue to see the usual links.
My background is totally different from web development, so forgive my stupid question.
I'm using PHP and MySQL for the application.
Without seeing how you display your menu or what key is used for the session, Ill assume some things:
<?php
session_start();
// do your login stuff and set session as logged in
$_SESSION['logged_in'] = true;
?>
Then in your menu or how ever you display it:
<?php
//navigation column
if(isset($_SESSION['logged_in']) && $_SESSION['logged_in']===true){echo 'Admin';}
//navigation column continue with rest of links
?>
Or the ternary operator assign link to a variable
<?php
$adminLink = (isset($_SESSION['logged_in']) && $_SESSION['logged_in']===true)?'Admin':'';
echo $adminLink;
?>
You should use a session variable to track the user's session and see if they are logged in.
if(isset($_SESSION['id'])) echo 'Admin Area';