I currently have a website that users log in and uses sessions.
The currently login and use the " users " table and it directs them to the appropriate page. I have another table that stores other details about the user.
I wish to display information to them from this other table, but they are controlled by their username in a session, Can I link the second table?
You can add a column on your table to set who is allowed to view that link by adding a user type definition to your table of users.
user_privilege = set(admin, customer, stupid)
Then check user privileges
Related
I made a login function with bruteforce protection, different bot protection functions like honeypot.., input filtering, Argon2 encrypted password.
But in the end to identify the user i save the id inside a session after a successful login.
With this id until now i checked if the column "admin" has the value 1 or 0.
If this value is 1 the user can do everything.
How i could improve the security ?
How else i could check if a user is an admin ?
You should do as I will direct you
As long as you have user id in act so it's half of the way
I will assume that you have function.php which have all the functions you use in website
Also you have login function that check user account details and give access
You now need to improve that to restrict user access
First:
Create table in MySQL call it group this table will have two records or as you like so. Admin will have id 1 and members id 2 then you can make much modifications like make another column in that table called upload and set admin to yes while members to no
Second in your login function use the following
$res = mysql_query("SELECT * FROM users INNER JOIN group ON users.class=group.group_id WHERE users.enabled='yes' AND users.status = 'confirmed'") or die(mysql_error());
$row = mysql_fetch_array($res);
Users.class is the group id and users is the table users
Now you can check group credits as example if on upload page you do the following
if($row["can_upload"]=="no")
echo("admin only can upload ");
You can check credentials on group as you need also you can make much classes like admin , members, uploders, reviewers,authors and give every class special permissions as website content is viewed
On admin.php you can use
if($row["admin"]=="no")
ech("admin only can view this page ");
In both examples above Admin and can_upload is colum in group table and it's changed by user class .
I want to allow users to enter up to 5 tags tag like a company name, or charity their associated with. When a user clicks on that tag, it will take them to a page with all the users associated with that tag.
example: If somebody enters CBS, it will show all users associated with CBS.
I know I can add a unique index to keep users from entering duplicate content like stated here , but won't that keep users from being able to enter a company they are associated with if it already exist in the database.
I don't wan't duplicates in the database, but do wan't to allow users the choice to pick companies that may already exists in the database submitted from other users.
This database will hold only data submitted from the users.
I am using larval 5
my database looks like this:
Users
id|username|email
Tags
id|tags
usertags
id|userId|tagId
You can use the validate in request file of laravel
Use Unique based on the tag(and/or)comment & user id
It will help you to get data what you are expecting
refer laravel document also
I'v got a registeration code which inserts user details into the table that I chose.
The problem is that I added a "confirm code" to the user, so every account is needed to verify his user through his mail. After the confirmation is done, the Column "confirmation" changes to "confirmed". If the user does not verify his account, the confirm code will stay in the "confirmation" Column.
The problem is that I made a table in html, which uses the DB in order to show the active users.
I don't want that the not-confirmed users will appear in the tbale, so I tried to add some conditions:
$cu = mysql_query("SELECT * FROM `users` where uname='$uname' && confirmation='confirmed'");
$cu = mysql_fetch_array($cu);
and another one :
$select2 = mysql_query("SELECT * FROM `users` WHERE uname='$uname' && confirmation='confirmed'");
It's working.. but only half way. I mean, when the not-confirmed user tries to log in, it shows him a blank page. It's ok, cuz I don't want the non-confirmed users will log in.
But... the confirmed users still see the not-cofirmed users in the active users table..
It's like the table doesn't even checks if the user is confirmed or not, it's just shows him either way.
So I thought about a way in which users will move to another table, called "hold", which will consist of all the non-confirmed users. Then, every user who will verify his account, the sql will recognize it and when the confirmation columm is changed to "confirmed", it's going to move the user to the "users" table, so his name will appear in the active user table.
How can I do it? How can I "make" the sql table to auto recongize if the user is confirmed or not, and move him to another table..
or.. if is there any way to "hide" the not-confirmed users from the active users table, it's also fine.
Thanks alot :)
Basically either you need to setup a cron which check if the user is not confirmed then move to hold tabe or write a trigger in mysql whenever any user got confirmed.
You can get the last result and insert after the last result.
See this example:
$sql = mysql_query("
INSERT INTO tabel_name(col1, col2,col3) values('foo','bar','some');
INSERT INTO table_name2(col,col2) SELECT col2,col3 FROM tabel_name
ORDER BY id DESC LIMIT 1;
");
I have four different types of users login in to my website like admin, superadmin, company, and employees. Each of them have different set of pages to see but some common pages as well. Now I am having four different tables to manage them with same login screen for admin and superadmin. When either admin or superadmin logs in I will go and check two tables one by one before giving access. I have a separate login screens for company and employees. Is this the accepted way of doing it?
Actually, I want this to be changed to a single table with all users in it and a role table to differentiate the roles. I believe a four-table concept is really bad. I can't simply make it to one table because the previous developer had a habit of saving user comments and user activities in text files which is used on website.
Am I right in the way I think that a four-table login system is bad? Is storing logs in a text file that are directly used in website a good idea or not?
You have 4 tables? Just use one user table and a field that can either be 'admin', 'superadmin', 'company' or 'employees'. Then you can have unlimited types of accounts. (I would do number codes like 1,2,3 or 4 instead of string codes or ENUM type field).
But yeah, your single table idea is fine. If you want a role table, do a foreign key to your role field and link it to your role table. You can have a single login too instead of different ones for different users and check for privileges based off that foreign key value.
Here's my suggestion,
Instead of using four tables for your users, it would be better to use one.
You can create you basic user table like this (change rank to what suits your site/script):
ID username password email bla bla bla rank
So instead of using four tables, you can make your PHP script check if the user has the desired access level.
Here's a simple function to protect pages from lower access level users:
function required_level($level){
$user_level = mysql_return(mysql_query("SELECT $rank FROM `Accounts` WHERE `user_id` = $user_id"));
if($user_level<$level){
header("Location:index.php");
}
}
Then on each page you want to protect from lower level users accessing it. You can just call required_level(4); and the page will only allow users with this level or over to access the page.
Example:
Bob is a employee so he has a user rank of 1,
Joe is a superadmin so he has a user rank of 4
Both users login normally, and both try to access admin.php.
admin.php starts with required_level(4); so Bob would be redirected to the home page (you can also pass an error) but, Joe would be bale to access this page because his rank is the same or above what is required to access this page.
So, here's my super long explanation on what you can do! I hope this helps and gives you some ideas on how to make your user tables better and easier to create protect pages :)
First of all, you can do the whole thing with a single table. In that table you should have fields like username, password, typeofuser and other necessary information.
Retrieve user information like:
$username = $_POST['username']; //Retrieving a username from HTML login form
$row = mysql_query(sprintf("SELECT * FROM table WHERE username ='%s'", mysql_real_escape_string($username))); //Retrieving a row from the database
$res = mysql_fetch_array($row);
$type = $row['typeofuser']; //Retrieving whether it is administrator, super administrator, user, etc.
if ($type == "admin")
header(Loction:adminpge);
Similarly, you can check any type of user and can redirect to another page.
I am currently setting up Open ID authentication in my website and I am having troubles incorporating it with my current Login System and database... I've read the article at Plaxo & it recommends this type of table to store the openid info...
create table user_openids (
openid_url varchar(255) not null,
primary key (openid_url),
user_id int not null,
index (user_id)
);
This is my current Users-info table
Userid(PRIMARY) | username(UNIQUE) | password | Email
Userid is used to reference user-details for comments, ratings etc. (So it goes into the comments table and the ratings table as a User identifier)
I want a system similar to what Stack overflow uses just login using your Open ID and it gives you an unknown(OPENID-provider) display name.... while keeping my current login system intact.
1) How can I add Open ID details of users to my current Users-Info Table without affecting the current login setup?
2) Currently I use User-id(generated unique for every user) to store in the session to maintain Login. What should I do now in case of Open ID?
*My Thoughts(I don't know if I am right or not)
- Add an open-id field to store the unique open id url provided by the open id provider for each user and set it to null for non-open-id-users.
- Make User-id a text field and store a md5 of the open id url.(store this in session to maintain Login).
- I have no idea how can I handle Display-name/Username which is set to unique for each user because I would like to show unknown(OPENID_provider) (for users using open-id) which can be changed from the profile settings...
Any suggestions would be helpful....Thanks
The idea with the table layout you show is to have a 1:many from users:openids.
Thus, no changes to the users table are needed.
When someone logs in with an OpenID, you check if that OpenID is in the openids table. If so, you have the user_id of the user and you are done.
Otherwise create a new user (with no username/password set) and insert an (openid,user_id) pair for them into the openids table.
You template can display whatever nice placeholder (such as their OP, or whatever) where it would normally display username for users whose username is blank.
Hopefully you already disallow logging in with blank passwords, so there should be no security issue there.
What about this?
Add a display_name column to the users table, which doesn't have to be unique.
Make username and password in users optional
When somebody registers with OpenID, create a row in users with empty username/password and display name set to "unkonwn (provider)".
Allow users to set username/password, if they want to switch to password-based login.
Allow users to manage their OpenIDs, so that existing users can switch to OpenID-based login.
This means that users can have username/password, but they don't have to. They also can have one or multiple OpenIDs, but they don't have to. They can use non-unique display name.
Option 1: Only one login type is allowed
Here's my suggestion (UPDATED to prevent the need to edit all business logic related to username):
Create a new column called loginid to allow the storage of OpenIDs and old usernames, Add the UNIQUE INDEX on this column as well.
Populate loginid with existing data from username
DELETE INDEX from username to allow them to be non-unique. When creating a new user from OpenID, set username value to unknown(google) as described.
Keep password for legacy logins, ignore it for OpenID.
Update only the AUTH portion of your code to look for loginid rather than username.
Option 2: Allow multiple logins (also easily extends to linking multiple profiles from various sources)
Create a new table to stand as a master user table and contain all required fields per user (maybe email from your example above).
Create a table to store authentication containing: userid (FK to master record), username (stores the username appropriate to the login scheme), password
There are obviously flaws with both of these options, but it will hopefully get you started in the right direction.