i am making a code where the system checks if you are an 'Admin' or a 'SuperAdmin'.
i cant seem to make it loop everything to check if 'SuperAdmin' is in the 'user_type'
$sql = "SELECT * from users";
$result = mysqli_query($con,$sql);
while ($row2 = mysqli_fetch_array($result)) {
if ($row2['user_type'] != "SuperAdmin") {
echo "<script>window.alert('You do not have administrative
priviledges for this page!');
location.href='../admin_page.php';</script>";
} else {
}
}
window.alert("You do not have administrative priviledges for this page!"); location.href="../admin_page.php";';
} else {
}
?>
I believe you want to check if the current use is an "Admin" or a "SuperAdmin". In that case, you need to get the row for the current user using the UserID that you get after authenticating the user. Change your query and php code to something like:
$UserId = 111; //This is the user id from database you get on authenticating the user: e.g. 111.
$sql = "SELECT * from users WHERE UserId = ". $UserId;
$result = mysqli_query($con,$sql); //This should retrieve a single row, with details for the specific user.
while ($row2 = mysqli_fetch_array($result)) {
if !(($row2['user_type'] == "SuperAdmin")||($row2['user_type'] == "Admin")){
echo "<script>window.alert('You do not have administrative
priviledges for this page!');
location.href='../admin_page.php';</script>";
} else {
//Code to be executed if the user is an admin or a super admin
}
}
Related
I have a snippets of login page php code as shown below which verify the username/password from the control_panel table.
My login application below allows only specific users (present in control_panel table) to login.
if (isset($_POST['user_name'], $_POST['user_pass']) && $_POST['user_login'] == 1) {
if ($user_from_db && password_verify($password, $user_from_db->user_pass)) {
$sql = "SELECT * FROM trace_users";
if($result = mysqli_query($connect, $sql)){
if(mysqli_num_rows($result) > 0){
while($row = mysqli_fetch_array($result)){
if($row['open'] == "true") {
echo "user " . $row['user_name'] . " is logged in so you cannot login";
break;
}
}
} else{
echo "No records matching your query were found.";
}
}
$_SESSION['pageadmin'] = true;
$_SESSION['user_name'] = $username;
$open="true";
$stmt= $connect->prepare("UPDATE trace_users SET open=? WHERE user_name=?");
$stmt->bind_param('ss', $open, $_SESSION['user_name']);
$stmt->execute();
} else {
echo "Invalid Login Credentials.";
}
}
Although php allows concurrent login from different users at the same time, what I am trying to achieve is when one user is logged in (lets say userA) and if any other user (lets say userB) tries to login at the same time then message should be displayed that userA is logged in so you cannot login.
I am currently using two tables for the code above.
1. One table control_panel has all the list of usernames/passwords (passwords are in encrypted format).
2. The other table trace_users (screenshot is shown below)
keeps the tracks of logged in users. If any user is logged in then the column open will show true otherwise it will show false.
Problem Statement:
I am wondering what changes I should make in the php code above so that it allows only one user to login the php application at the same time.
This is what I have tried but I think more need to be done:
$sql = "SELECT * FROM trace_users";
if($result = mysqli_query($connect, $sql)){
if(mysqli_num_rows($result) > 0){
while($row = mysqli_fetch_array($result)){
if($row['open'] == "true") {
echo "user " . $row['user_name'] . " is logged in so you cannot login";
break;
}
}
} else{
echo "No records matching your query were found.";
}
}
I have problem in little project,
how can I save table data in session?
<?php
session_start();
include 'connect.php';
if (isset($_POST["email"]))
{
$email = $_POST["email"];
$password = $_POST["password"];
$r=mysql_query("SELECT * FROM user_login WHERE `uemail` ='".$email."' AND `upass` = '".$password."'");
$s = $_POST["userid"];
$n=mysql_query("SELECT * FROM user_data WHERE `userid` ='".$s."'");
$q=mysql_fetch_assoc($n);
$_SESSION["name"]=$q["nfname"];
$k=mysql_num_rows($r);
if ($k>0)
{
header("location:user/index.php");
}
else
header("location:login.php");
}
?>
this code not working !! :(
please help !
You probably just missed the
session_start();
But here is the dildo (deal tho) xD
Your Login script is not secure, try this at the top of your index.php or whatever rootfile you have.
<?php
session_start();
function _login($email, $password) {
$sql = "SELECT * FROM user_login
WHERE MD5(uemail) ='".md5(mysql_real_escape_string($email))."'
AND MD5(upass) = '".md5(mysql_real_escape_string($password))."'";
$qry = mysql_query($sql);
if(mysql_num_rows($qry) > 0) {
// user with that login found!
$sql = "UPDATE user_login SET uip = '".$_SERVER['REMOTE_ADDR']."', usession = '".session_id()."'";
mysql_query($sql);
return true;
} else {
return false;
}
}
function _loginCheck() {
$sql = "SELECT * FROM user_login WHERE uip = '".$_SERVER['REMOTE_ADDR']."' AND MD5(usession) = '".md5(session_id())."'";
$qry = mysql_query($sql);
if(mysql_num_rows($qry) > 0) {
// user is logged in
$GLOBALS['user'] = mysql_fetch_object($qry);
$GLOBALS['user']->login = true;
} else {
// user is not logged in
$GLOBALS['user'] = (object) array('login' => false);
}
}
if(isset($_POST['login'])) {
if(_login($_POST["email"], $_POST["password"])) {
// login was successfull
} else {
// login failed
}
}
_loginCheck(); // checkes every Page, if the user is logged in or if not
if($GLOBALS['user']->login === true) {
// this user is logged in :D
}
?>
Ok, I'll bite. First 13ruce1337, and Marc B are right. There is a lot more wrong with this than not being able to get your data into your session.
Using PDO ( as 13ruce1337 links you too ) is a must. If you want to keep using the same style of mysql functions start reading up on how. Marc B points out that session_start(); before any html output is required for sessions to work.
As for your code, you got along ways to go before it is ready for use but here is an example to get you started
if (isset($_POST["email"])) {
//mysql_ functions are being deprecated you can instead use
//mysqli_ functions read up at http://se1.php.net/mysqli
/* Manage your post data. Clean it up, etc dont just use $_POST data */
foreach($_POST as $key =>$val) {
$$key = mysqli_real_escape_string($link,$val);
/* ... filter your data ... */
}
if ($_POST["select"] == "user"){
$r = mysqli_query($link,"SELECT * FROM user_login WHERE `uemail` ='$email' AND `upass` = '$password'");
/* you probably meant to do something with this query? so do it*/
$n = mysqli_query($link,"SELECT * FROM user_data WHERE userid ='$userid'");
//$r=mysql_fetch_assoc($n); <- this overrides your user_login query
$t = mysqli_fetch_array($n);
$_SESSION["name"] = $t['nfname'];
/* ... whatever else you have going on */
I am trying to make permission page thy will check if user have full access than some option allow to this person.I have table named users there i have 5 columns name user_id , username , password , email , permission
respectively .so now i am showing what i have done.
permissions.php
<?php
include('db.php');
$result=mysql_query("SELECT permission,user_id FROM users");
while($test = mysql_fetch_array($result))
{
$test['user_id'];
$test['permission'];
}
?>
For example mysql result on first row: $test['user_id'] = 1 and $test['permission'] = full .
Session result: $_SESSION['user_name'] = admin
So how can i check if this user id have permission full than do some think.
I am new on php sorry for my bad explanation.
<?php
include('db.php');
$result = mysql_query("SELECT permission,user_id FROM users WHERE username = '$_SESSION[user_name]'");
if(mysql_num_rows($result)){
$data = mysql_fetch_row($result); // fetch first row of result, we don't need a loop, as username should be unique
$permission = $data['permision'];
$user_id = $data['user_id'];
}else{
echo "Username not found.";
}
?>
if user have full permission, store in session full permission
while($test = mysql_fetch_array($result))
{
$_SESSION['permission'] = $test['permission'];
}
check if user have full permission
if($_SESSION['permission'] == full){
//do shomething
}
<?php
include('db.php'); // though you should look in to "PDO"
// default permission--disallowed
$allowed = false;
// get the permission for the current user (based on the username within
// your session variable). also make sure to sanitize anything that's being
// placed within a query to the database.
$query = sprintf("SELECT permission "
."FROM users "
."WHERE username = '%s'",
mysql_real_escape_string($_SESSION['user_name']));
$result = mysql_query($query);
while (($test = mysql_fetch_array($result)) !== false){
// we found the username, now check their access
$allowed = $test['permission'] == 'full';
}
// if ($allowed){
// super secret area
// } else {
// get out of here
// }
I have the following function which retrives the currently logged in users' username and finds out their access level from the database (either 'requested','user', or 'admin')
function fetchAccess()
{
global $con;
$username = $_SESSION['username'];
$q = "SELECT access FROM users WHERE username = '$username' LIMIT 1";
$result = mysql_query($q, $con);
$row = mysql_fetch_assoc($result);
$access = $row['access'];
if(isset($_SESSION['username']))
{
if($access == 'user')
{
return 1; // Returns 1 if access level is user
}
elseif($access == 'admin')
{
return 2; // Returns 2 if access level is admin
}
elseif($access == 'requested')
{
return 3; // Returns 3 if access level is requested
}
}
}
When I am checking whether the user is an admin using the follow code, this works correctly.
/* Redirects user if access level does not equal admin */
$result = fetchAccess();
if($result != 2)
{
header("location:index.php");
}
However when I check to see whether the access is 'requested' - this following is NOT working correctly.
<?php
/* Redirects user if access level does is 'requested' */
$result = fetchAccess();
if($result == 3)
{
header("location:redirect.php");
}
?>
Does anyone know why this is?
You can do this:
function fetchAccess()
{
global $con;
$username = $_SESSION['username'];
$q = "SELECT access FROM users WHERE username = '$username' LIMIT 1";
$result = mysql_query($q, $con);
$row = mysql_fetch_assoc($result);
global $access
$access = $row['access'];
}
then:
global $access
if($access != admin){
header("location:redirect.php");
}
Have you verified that $result actually equal to 3? it may very well be that in the first instance $result == "" which is != 2 so it is not working at all. Try debugging it by including a header like:
<?php
$result = fetchAccess();
header("X-my-result: [$result]");
if ( $result == 3 ) {
header("Location: redirect.php");
}
?>
and see what you get back for value of $result in the headers.
do an echo statement to see what is return in the $result variable. btw, i'm not sure if your logic in your first redirect statement is to encompass both 'user' and 'requested', but those users will be redirected to index.php
When a user registers, the script sends an email to verify his account. Clicking on the link, the script gets the token
$token = mysql_real_escape_string($_GET["token"]);
and what I thought to do is
if($token != '') {
mysql_query("UPDATE members SET verified = '' WHERE verified = '$token'");
}
or
if($token != '') {
$result = mysql_query("UPDATE members SET verified = '' WHERE verified = '$token'");
if($result) { }
else { }
}
What is my purpose is to echo a success or failed message on the user. When it will be success then the verified will be empty.
What is the appropriate way of doing this with my examples above?
Should I check if there is the token in the DB before updating it?
Thank you.
Your current method updates a record if it exists but does not take into account that which does not exist or match. You should run something similar to:
if($token != '') {
$result = mysql_query("SELECT COUNT(*) FROM members WHERE verified = '$token'");
while($row = mysql_fetch_row($result)) {
$records = $row[0];
}
if($records == 0) { echo 'no results'; }
elseif($records ==1) { echo 'you matched'; then update the record. }
}
edit
changed BACK to the while loop, wasn't thinking of the count returning 0 rows