I'm trying to restrict users from accessing a page if their rank isn't manager or admin. I made a variable called $rank which is the rank that is fetched from the user's table in my database. When I echo the rank on the page, the rank does equal to manager or admin but it redirects me to the index page because it somehow doesn't equal manager or admin. When I try using this code:
if(!isset($_SESSION['userID'])) {
header("Location: index.php");
} else if ($rank == "manager" OR $rank == "admin") {
} else {
header("Location: index.php");
}
it does work but I feel like that's the wrong way of doing it. This is the code that I'm using now and isn't working:
$tUsers_Select = "SELECT users.rank, ranks.rank_name FROM users LEFT JOIN ranks ON users.rank = ranks.rank_name WHERE user_id = ".$_SESSION['userID'];
$tUsers_Select_Query = mysqli_query($dbConnect, $tUsers_Select);
$fetch = mysqli_fetch_array($tUsers_Select_Query);
$rank = $fetch['rank'];
if(!isset($_SESSION['userID'])) {
header("Location: index.php");
} else if ($rank !== "manager" OR $rank !== "admin") {
header("Location: index.php");
}
Hopefully you understood. Please comment if you have any questions.
This is just a logic problem.
else if ($rank !== "manager" OR $rank !== "admin") {
If rank is manager, then it does not equal admin. If it is admin, then it does not equal manager. So no matter what happens you redirect to index.php.
Change OR to AND.
First of all, I want to ask you if the session_start() opened before you used the $_SESSION?
Then I suggest you to var_dump the $_SESSION['userID']) ,see if this virable is null.
Update:
I am not sure about your problem, and you can try this:
change the blow code :
if(!isset($_SESSION['userID'])) {
header("Location: index.php");
} else if ($rank !== "manager" OR $rank !== "admin") {
header("Location: index.php");
}
to:
if(isset($_SESSION['userID']) AND ($rank == 'manager' OR $rank == 'admin')) {
header("Location: index.php");
}
I think that can make your code simple.
Related
Using PHP I am trying to check whether the user is an admin or a normal user. If they are a normal user then it should redirect them to home.php. However if they are an admin then it should redirect them to admin.php. When entering in the username and password of a standard user it sends me to home.php which is what is expected. However whenever I use an admin login it does not direct me to admin.php. Instead it redirects me to authentication.php which is the script that checks if the username and password are correct.
I have tried 2 different blocks of code, the first one did not work at all as it came up with syntax errors. However this one should work fine but it does not. I have also checked if the correct numbers are being stored within the database. 1 being a standard user and 2 being for an admin. I have printed the admin level on my profile page so I know that it is storing the data properly.
if (isset($_SESSION['admin'])) {
if ($_SESSION['admin'] === "2") {
header('Location: admin.php');
} else {
header('Location: home.php');
}
} else {
header('Location: home.php');
}
I expect that when an admin logs in it should direct me to admin.php, however I am just being directed to a blank screen of authentication.php.
Your code is accurate. Forexample
<?php
$_SESSION['admin'] = "2";
if (isset($_SESSION['admin'])) {
if ($_SESSION['admin'] === "2") {
header('Location: admin.php');
} else {
header('Location: home.php');
}
} else {
header('Location: home.php');
}
?>
If you run this on localhost it redirects to admin.php page properly. as you are using === so you have to make sure your datatype is matched.
for example:
<?php
$a = "1";
if ($a === 1) {
echo "not ok";
}
if ($a == 1) {
echo "ok";
}
if ($a === "1") {
echo "This time ok";
}
if ($a == "1") {
echo "it's also ok";
}
?>
First echo doesnt show as if cant matched datatype. so i suggest you to change === to == and see. hopefully it will solve your problem
<?php
if (isset($_SESSION['admin'])) {
if ($_SESSION['admin'] == "2") {
header('Location: admin.php');
exit();
} else {
header('Location: home.php');
exit();
}
} else {
header('Location: home.php');
exit();
}
?>
You can return the link page from the php script like below:
if (isset($_SESSION['admin'])) {
$data['admin_page_link'] = 'admin.php';
echo json_encode($data);
}else {
$data['home_page_link'] = 'home.php';
echo json_encode($data);
}
Then just call it in javascript ajax call to redirect to the desired page:
if (response.user === 'admin') {
window.location.href = response.admin_page_link;
} else {
window.location.href = response.home_page_link;;
}
In the above code you may check by using the full web address of php file like: http://localhost/admin.php
I have a table for users in my MySQL database with a tinyint value (0 or 1) which I use to determinate the category of the user.
So, at my login.php, I get the value (stored as 'admin'):
$query = $db->query("SELECT ..., admin FROM users WHERE email='$mail'");
$row = $query->fetch_array();
$isadmin = intval($row['admin']);
Then I assign the session:
if (password_verify($pwd, $row['password']) && $count==1){
if($isadmin==1) {
$_SESSION['admin_session'] = $row['userid'];
header("location: adminpanel.php");
} else {
$_SESSION['user_session'] = $row['userid'];
header("location: adminpanel.php");
}
}
And when it comes to check the session, I do this:
if (isset($_SESSION['user_session'])){
header("location: adminpanel.php");
exit;
} else if(isset($_SESSION['admin_session'])){
header("location: adminpanel.php");
exit;
}
But... It's not working. The page doesn't load and it shows a browser error message saying there are too many redirections being made. How can I do this?
I know both sessions are heading to the same "adminpanel.php". What I'm trying to do is both can access but once they're logged, depending on its category (whether they're admin or not), they'll be able to do certain stuff.
I would suggest simplifying the process and just keeping a User in the session with a flag telling you if they are an admin or not.
$query = $db->query("SELECT ..., admin FROM users WHERE email='$mail'");
$row = $query->fetch_array();
if (password_verify($pwd, $row['password'])){
$_SESSION['user'] = $row['userid'];
$_SESSION['isadmin'] = $row['admin'] == 1 ? true : false;
}
And when it comes to check the session, I do this:
if (isset($_SESSION['isadmin']) && $_SESSION['isadmin']){
header("location: adminpanel.php");
exit;
} else
// NOTE you had this redirecting exactly as above to adminpanel
header("location: userpanel.php");
exit;
}
Try to add ob_start(); on the top of your php script. I think it's because of your using header function many times.
I searched but I can't find solution for me.
I have login.php file which redirect user to another page in my case theme.php?id=".$row['log_name'].".
<?php
include ('conn.php');
//Uzivatelsky vstup
$log_meno = mysqli_real_escape_string ($Conn, $_POST['login_name']);
$cmp_heslo = sha1($_POST['login_password']);
$sql = "SELECT id, cmp_heslo, log_meno FROM firmy WHERE log_meno='$log_meno'";
$result = mysqli_query($Conn, $sql);
if (mysqli_num_rows($result) > 0) {
while($row=mysqli_fetch_assoc($result)) {
if ($cmp_heslo == $row[cmp_heslo])
{
session_start();
$_SESSION['logged'] = 'yes';
echo "<script language='javascript'>window.location='comp_page/theme.php?id=".$row['log_name']."';</script>";
}
else
{
echo "<script language='javascript'>window.location='bad_login.php';</script>";
}
}
} else {
echo "0 results";
}
mysqli_close($Conn);
?>
theme.php
<?php
session_start();
if($_SESSION['logged'] != 'yes' )
die("You have to sign in first!");
?>
In MySQL I have two users
kuki with pass kuki
cuki with pass cuki
My question is when I am signed in as kuki I have in address bar:
http://localhost/comp_page/theme.php?id=kuki
But I need when I rewrite in address bar kuki to cuki to change to access denied becuase now only address bar changed but page is same. I am new to PHP.
Aside from having this in your session
$_SESSION['logged'] = 'yes';
I suggest you need to add also something like this,
$_SESSION['id'] = $row['log_name'];
and in your theme.php
session_start();
if($_SESSION['logged'] != 'yes' ) {
die("You have to sign in first!");
} else {
if ($_SESSION['id'] == $_GET['id']) {
// do somthing
} else {
echo "Access Denied!";
}
}
having this URL
http://localhost/comp_page/theme.php?id=kuki
meaning you are sending data, the id to the server with the get method. This $_GET['id'] catch that data and will have a value either kuki or cuki from the URI theme.php?id=kuki or theme.php?id=cuki.
This condition if ($_SESSION['id'] == $_GET['id']) will determine if the value of id is the same with the user store in the session.
I am using the following code to log users in to a series of secure pages - I need to have each user redirected to an appropriate page once submitted, I'm wondering what steps I need to take to single out the three login levels (admin,special,user):
if(isset($_SESSION['username'])){
function check_login($level) {
$username_s = mysql_real_escape_string($_SESSION['username']);
$sql = "SELECT user_level, restricted FROM login_users WHERE username = '$username_s'";
$result = mysql_query($sql);
$row = mysql_fetch_array($result);
$user_level = $row['user_level'];
$restricted = $row['restricted'];
$sql = "SELECT level_disabled FROM login_levels WHERE level_level = '$user_level'";
$result = mysql_query($sql);
$row2 = mysql_fetch_array($result);
$disabled = $row['level_disabled'];
if($disabled != 0) { include('disabled.php'); exit();
} elseif($restricted != 0) { include('disabled.php'); exit();
} elseif($user_level <= $level) { // User has authority to view this page.
} else { include('user_level.php'); exit();
}
}
} else {
function check_login($level) { exit(); }
include('login.inc.php'); exit();
I would store the login level in a $_SESSION variable and then redirect the user based on that as you'll want to keep track of that login level from page to page. To redirect them, use header() with a Location: string.
For ex:
if ($_SESSION['log_level'] == 'admin') {
header("Location: admin.php");
} else if ($_SESSION['log_level'] == 'editor') {
header("Location: editor.php");
} else if ($_SESSION['log_level'] == 'author') {
header("Location: author.php");
}
I'd move those function calls out of the if statement and keep it somewhere else...
One approach could be declaring the different levels you like in an array: $levels = array('admin' => '/admin/url', 'special' => '/special/url', 'guest' => '/guest/url'); and iterate through the list or see if the key exists ...
Using switch is another approach ...
if (isset($_SESSION['login_level'])) {
switch ($_SESSION['login_level']) {
case 'admin':
header('Location: /admin/url');
break;
case 'special':
header('Location: /special/url');
break;
case 'guest':
header('Location: /guest/url');
break;
default:
do_login();
break;
}
} else {
do_login();
}
function do_login() {
// do something
}
so im given 3 variables on my login page from an outside source, if one of those do not belong in the database I want it to just go to the normal login.php page. as of right now it stays on that page and does not change the url even though the vars are not in the db.
i give it localhost/john/login.php?uniqueID=BmWDLlkcyU&compID=2&tempID=22
, but tempID 22 does not exist so i want it to revert to login.php
$uniqueID = $_GET['uniqueID'];
$compid = $_GET['compID'];
$tempID = $_GET['tempID'];
$checkUnique = mysqli_query($conn, "SELECT unique_id from answers WHERE unique_id = '$uniqueID' and template_id = '$tempID'");
$checkComp = mysqli_query($conn, "SELECT company_id from t_list WHERE company_id = '$compid'");
if(!$checkUnique)
{
header("Location: login.php");
exit;
}
else if(!$checkComp)
{
header("Location: login.php");
exit;
}
do this way
$checkUniquerowcount=mysqli_num_rows($checkUnique);
$checkComprowcount=mysqli_num_rows($checkComp);
and check for
if( $checkUniquerowcount > 0 && $checkComprowcount >0 )
{
}
else
{
header("Location: login.php");
exit;
}